Ukrainska Pravda
Укр Рос Eng

Microsoft exposes Kremlin hackers who targeted foreign embassies in Moscow

Ivan Diakonov - 1 August, 04:59
Stock photo: Getty Images

A Russian hacking group known as Secret Blizzard, which is directly linked to Russia’s Federal Security Service (FSB), has used a state surveillance system to conduct cyberespionage operations against foreign embassies in Moscow.

Source: Microsoft Threat Intelligence report, 31 July 2025

Details: Microsoft revealed that Secret Blizzard (also known as Turla) launched a large-scale cyberespionage campaign targeting foreign diplomatic missions operating in Moscow. The hackers gained access to Russian internet providers and used their infrastructure to intercept internet traffic from embassies.

Experts found that the attacks employed adversary-in-the-middle (AiTM) techniques, which allow an attacker to insert themselves between the user and the server to intercept data.

During the attacks, hackers deployed malicious software called ApolloShadow on diplomatic devices. This malware enabled a technique known as HTTPS downgrading (TLS/SSL stripping), effectively converting encrypted traffic into unencrypted data, allowing hackers to steal logins, passwords, authentication tokens and other sensitive information.

Additionally, ApolloShadow installed a trusted root certificate from Kaspersky Lab on users' devices. As a result, the compromised systems accepted connections from fake or infected sites as secure, allowing the hackers to maintain long-term control over diplomats' devices.

Experts believe that the key enabler of this large-scale cyberattack was Russia’s System for Operative Investigative Activities (SORM), a state-run infrastructure that permits security agencies to intercept internet traffic in real time.

For reference: Secret Blizzard has been identified by the US Cybersecurity and Infrastructure Security Agency (CISA) as a subdivision of Centre 16 of the FSB. It is considered one of the world’s leading state-sponsored hacking units and is routinely used by the Russian government in cyberwarfare and influence campaigns.

Background: 

  • The Secret Blizzard group has previously targeted foreign ministries, particularly in Eastern Europe, tricking users into downloading malware from controlled servers. In 2023, the US Department of Justice announced the takedown of a massive Turla botnet used for global Kremlin-backed espionage.
  • In December 2017, US President Donald Trump signed a law banning the use of Kaspersky Lab software in US government agencies due to fears it was being used by Russia for espionage.
  • In March 2022, the US Federal Communications Commission added Kaspersky Lab to the list of companies that pose a threat to US national security.

Support Ukrainska Pravda on Patreon!

cyber security Russian Federal Security Service spying Russia
Top news of today
Türkiye says its fighter jets downed "out-of-control" drone from Black Sea 15 December, 21:24
US says for the first time it will respond militarily if Russia attacks Ukraine again – Polish PM 16 December, 08:22
Berlin talks: US negotiators pressed Ukraine to cede remaining Donbas territory – AFP 15 December, 15:25
Merz: Ceasefire conceivable for first time since 24 February 2022 15 December, 19:56
Trump says he recently spoke with Putin 16 December, 03:22
Zelenskyy says what he expects from US if Russia rejects solutions agreed with Washington 16 December, 09:30