Russian cyberspies are abusing local internet service providers’ networks to target foreign embassies in Moscow and collect intel from diplomats’ devices, according to a Microsoft Threat Intelligence warning.
Redmond detailed the ongoing cyber-espionage campaign, active since at least 2024, and carried out by a Kremlin-backed group it tracks as Secret Blizzard (aka VENOMOUS BEAR, Turla, WRAITH, ATG26) in a Thursday report. Microsoft declined to say how many organizations were targeted, or successfully infected, in this campaign.
The threat hunters first observed one such Secret Blizzard snooping mission in February. Putin’s spies, according to Microsoft, used an adversary-in-the-middle (AiTM) position at the ISP/telco level to gain access to foreign embassies located in Moscow and deploy their custom ApolloShadow malware.
In an AiTM attack, the attacker intercepts communications between two parties, such as the victim’s device and website they are trying to access. The attacker can then read messages and steal sensitive information like login credentials or financial account info. Or they can use this AiTM position to redirect users to fake websites or inject malicious code.
To achieve AiTM intrusions, the attacker usually creates a fake network with a similar name to one the victim is trying to connect to — for example, a phony airport Wi-Fi network that’s just a letter or two off from the real thing.
But in this case, Secret Blizzard’s AiTM position at the ISP level “is likely facilitated by lawful intercept,” the threat hunters noted.
The Register asked Microsoft if this means that the attackers have ISP consent to sit on the networks, intercept victims’ communications, and push malware to their devices.
“We do not have insight into the relationship between the threat actor and the ISP. In certain geopolitical contexts, any ISP may not be acting independently,” Microsoft Director Of Threat Intelligence Strategy Sherrod DeGrippo responded. “The takeaway here is for personnel with access to this level of sensitive data, networks used should be vetted and secured with end-to-end visibility.”
The bottom line, she added, is that anyone sending and receiving super sensitive data should use thoroughly vetted networks that are secured with end-to-end visibility. “In a country where the government has deep technical and legal control over ISPs, that infrastructure can become part of the threat surface,” DeGrippo said.
While Microsoft previously claimed that Secret Blizzard conducted snooping campaigns inside Russia against both foreign and domestic entities, “this is the first time we can confirm that they have the capability to do so at the Internet Service Provider (ISP) level,” according to the report.
How the attack works
In the new campaign, Kremlin spies redirect target devices by putting them behind a captive portal: a legitimate web page that manages network access like those a user would see when connecting to the internet at an airport or hotel.
Once the victim’s device is behind this captive portal, the attackers initiate the Windows Test Connectivity Status Indicator. This is a legitimate service that determines if a device has internet access by sending an HTTP GET request to hxxp://www.msftconnecttest[.]com/redirect, which should direct to msn[.]com.
In this attack, it redirects to a Secret Blizzard-controlled domain that likely displays a certificate validation error and gets the user to download and execute ApolloShadow. If the device isn’t running on default admin settings, the user is presented with a pop-up window that tells them to download fake certificates, named CertificateDB[.]exe, which gives the attackers elevated privileges.
“We assess this allows for TLS/SSL stripping from the Secret Blizzard AiTM position, rendering the majority of the target’s browsing in clear text including the delivery of certain tokens and credentials,” Microsoft wrote.
Using their AiTM position, the Russian spies can use DNS manipulation to redirect communications to a Secret Blizzard-controlled command-and-control server, and then send the second-stage payload to the victim’s device.
This one displays to the victim as a user account control (UAC) pop-up window asking permission to bypass UAC safety mechanisms. If the user clicks “yes,” the malware now has the highest-available privileges, which ApolloShadow initially abuses by setting all networks to “private,” allowing the host device to become discoverable, and changing firewall rules to enable file sharing.
“While we did not see any direct attempts for lateral movement, the main reason for these modifications is likely to reduce the difficulty of lateral movement on the network,” Microsoft wrote.
Finally, ApolloShadow creates an administrative user with the username UpdatusUser and a hardcoded password, set to never expire, on the compromised system using the Windows API NetUserAdd. The malware now has persistent access to the infected host via the newly created local admin user.
To protect against Kremlin spies eavesdropping on devices, Microsoft recommends everyone operating in Moscow — especially sensitive organizations such as foreign embassies — to route all traffic through an encrypted tunnel to a trusted network, not a local ISP. Or, use a virtual private network (VPN) service provider like a satellite-based provider, whose infrastructure is not controlled by Russia or other outside entities. ®