Cyber Espionage by Russian Group Secret Blizzard

The hacker group Secret Blizzard, linked to the FSB of Russia, exploited a state communications interception system to conduct cyber espionage against foreign diplomatic missions in Moscow.

This information was disclosed in a report by Microsoft on July 31, 2025.

According to Microsoft, the Secret Blizzard group (also known as Turla) launched a comprehensive cyber espionage campaign targeting foreign embassies operating in Moscow. The hackers gained access to Russian internet service providers, allowing them to intercept the diplomatic traffic.

Experts revealed that the attack was carried out using the "Adversary-in-the-Middle" technique, which enables interference in the communication between the victim and the server to capture data.

During the attacks, hackers installed malicious software ApolloShadow on diplomatic devices, which enabled them to execute a "HTTPS downgrade attack" (TLS/SSL stripping), exposing the encrypted traffic of the victims, including logins, passwords, and other sensitive information.

Additionally, ApolloShadow installed a trusted root certificate from "Kaspersky Lab" on the devices, which the victims' systems recognized as safe, allowing hackers to create the illusion of a secure connection even with fake or compromised websites. This provided the group with long-term control over the devices of foreign diplomats.

Experts believe that the key role in this large-scale cyber attack was played by the System for Operational Investigative Activities (SORM) – a Russian state system that allows authorities to intercept internet traffic in real time.

Secret Blizzard has been identified by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as part of the "Center 16" of the FSB, which ranks among the top state-sponsored hacker groups globally and is systematically used by Russia in cyber wars and influence campaigns.