A Russian nation-state threat group, known as Secret Blizzard, has reportedly been spying on foreign diplomats in Moscow since at least 2024, gaining continuous access to their communications and sensitive data, according to a report released by Microsoft Threat Intelligence.
The group, believed to leverage advanced tactics including malware deployment, has achieved what researchers describe as an “adversary-in-the-middle” position by infiltrating Russian internet service providers and telecom networks. This access allows for both passive surveillance and active intrusion into targeted systems, marking a significant shift in their cyber-espionage capabilities. “It’s a shift, or a kind of movement, toward the evolution of simply watching traffic to actively modifying network traffic in order to get into those targeted systems,” said Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft, in an interview with CyberScoop.
Secret Blizzard, also known as Turla or Waterbug, has longstanding ties to the Center 16 of Russia’s Federal Security Service (FSB) and has been a prominent player in advanced persistent threats for decades. DeGrippo characterized the group as being “creative, persistent, well-resourced, highly organized,” indicating their capability to execute complex cyber operations.
Researchers detailed how the group initially compromises the devices of embassy employees by redirecting them to a malicious domain that mimics a legitimate security warning. This deception tricks staff into downloading rogue root certificates disguised as Kaspersky Anti-Virus software, which subsequently deploys ApolloShadow malware. This malware effectively disables traffic encryption and allows Secret Blizzard to maintain persistent access to diplomatic devices, facilitating extensive espionage operations.
Microsoft has refrained from disclosing the exact number of embassies affected by these intrusions, although they acknowledge the group remains active. The operational techniques employed by Secret Blizzard are of particular concern due to their potential exploitation of lawful intercept capabilities within high-risk infrastructures in countries such as Russia, China, and Iran.
Past incidents have demonstrated Secret Blizzard’s capacity to leverage tools from other cybercriminal entities, indicating their adaptability and resourcefulness when targeting geopolitical interests, particularly in Ukraine.