New Insights on Cyber Attacks Against Foreign Embassies in Moscow
The hacking group Secret Blizzard, linked to Russian security services, utilized the communication interception system for espionage against foreign embassies in Moscow.
This was reported in the Microsoft Threat Intelligence report dated July 31, 2025.
According to Microsoft, the Secret Blizzard group (also known as Turla) executed a large-scale cyber espionage campaign targeting foreign diplomatic missions in Moscow. The hackers accessed Russian internet providers and leveraged their infrastructure to intercept the internet traffic of diplomatic institutions.
The attack was carried out using the Adversary-in-the-Middle (AiTM) technique, allowing them to intercept data between the victim and the server.
During the attacks, the hackers deployed the malicious software ApolloShadow on diplomatic devices, which facilitated HTTPS downgrading attacks (TLS/SSL stripping), exposing encrypted traffic such as logins, passwords, and tokens.
Additionally, ApolloShadow installed a trusted root certificate from Kaspersky Lab, which was recognized by the victims’ systems as secure, allowing hackers to create the illusion of a safe connection even with fake or compromised sites. This granted the group long-term control over the devices of foreign diplomats.
Experts believe that the Operational Search Measures System (SORM) played a crucial role in this extensive cyber attack, as it is a Russian state system that allows law enforcement agencies to intercept internet traffic in real-time.
Secret Blizzard has been identified by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as part of the FSB's "Center 16", which ranks among the leading state-sponsored hacker groups globally.
