The hacking group tracked by Microsoft as Secret Blizzard (also known as Turla, Waterbug, and Venomous Bear) has been observed exploiting its adversary-in-the-middle (AiTM) position at the internet service provider (ISP) level to infect the systems of diplomatic missions with custom ApolloShadow malware. Microsoft warns that a cyber-espionage group linked to Russia's Federal Security Service (FSB) is targeting diplomatic missions in Moscow using local internet service providers. "This is the first time Microsoft can confirm Secret Blizzard's capability to conduct espionage at the ISP level, meaning diplomatic personnel using local internet providers and telecommunications in Russia are at high risk of being targets of Secret Blizzard's AiTM position within those services," Microsoft said. Two years ago, CISA linked the group to Center 16 of Russia's Federal Security Service (FSB) and a peer-to-peer (P2P) network of computers infected with Snake cyber-espionage malware that was later taken down in a joint action involving Five Eyes cybersecurity and intelligence agencies. Once deployed, ApolloShadow installs a trusted root certificate disguised as Kaspersky Anti-Virus, which helps trick compromised devices into recognizing malicious websites as legitimate, allowing threat actors to maintain long-term access for intelligence gathering after infiltrating diplomatic systems. Secret Blizzard hackers are also taking advantage of Russia's domestic interception systems, including the System for Operative Investigative Activities (SORM), to carry out their large-scale AiTM campaigns.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 31 Jul 2025 16:35:25 +0000