Microsoft’s Threat Intelligence team has warned that a state-sponsored hacking group it calls “Secret Blizzard” is conducting an ongoing cyber-espionage campaign against foreign embassies in Moscow. The operation, which Microsoft attributes to the Kremlin’s FSB-linked Turla outfit, leverages Russia’s own internet service providers to place the hackers in an adversary-in-the-middle position between diplomats’ devices and the wider internet. From that vantage point, the attackers redirect victims to a captive portal that mimics a routine connectivity check, then prompt them to install what appears to be a Kaspersky certificate update. The download instead delivers a custom backdoor dubbed “ApolloShadow.” Once installed, the malware adds rogue root certificates, strips TLS encryption from web traffic, creates a persistent administrative account and captures credentials and other sensitive data in clear text. Microsoft says the espionage activity has been underway since at least 2024 and remains active. While the company declined to identify the embassies affected or the number of systems compromised, it notes that the ISP-level access is “likely facilitated by lawful intercept” powers available to Russian authorities, marking the first confirmed use of such capability by Secret Blizzard. The company advises diplomatic missions and other sensitive organisations operating in Russia to route all traffic through trusted encrypted tunnels or satellite-based VPN services, enforce least-privilege access on devices and review privileged accounts regularly to mitigate the risk.