Ethical Hacking News
Microsoft has warned that a Kremlin-backed group, known as Secret Blizzard or VENOMOUS BEAR, Turla, WRAITH, ATG26, is abusing local internet service providers' networks to spy on diplomats from foreign embassies in Moscow. This campaign involves the use of an adversary-in-the-middle (AiTM) position at the ISP/telco level to gain access to these diplomatic missions.
Microsoft has warned that a Kremlin-backed group, Secret Blizzard, is using an adversary-in-the-middle (AiTM) position at local internet service providers' networks to spy on diplomats from foreign embassies in Moscow.The attackers use a captive portal and redirect users to fake websites or inject malicious code, stealing sensitive information like login credentials or financial account info.Secret Blizzard's AiTM position is likely facilitated by lawful intercept, allowing them to intercept victims' communications and push malware to their devices.The attackers deploy custom ApolloShadow malware, which allows them to spy on diplomats and steal sensitive information from their devices.Microsoft recommends routing all traffic through an encrypted tunnel or using a virtual private network (VPN) service provider to protect against such attacks.
Microsoft has warned that a Kremlin-backed group, known as Secret Blizzard or VENOMOUS BEAR, Turla, WRAITH, ATG26, is abusing local internet service providers' networks to spy on diplomats from foreign embassies in Moscow. This campaign, which has been ongoing since at least 2024, involves the use of an adversary-in-the-middle (AiTM) position at the ISP/telco level to gain access to these diplomatic missions.
In an AiTM attack, the attacker intercepts communications between two parties, such as the victim's device and website they are trying to access. The attacker can then read messages and steal sensitive information like login credentials or financial account info. Or they can use this AiTM position to redirect users to fake websites or inject malicious code.
To achieve AiTM intrusions, the attacker usually creates a fake network with a similar name to one the victim is trying to connect to — for example, a phony airport Wi-Fi network that's just a letter or two off from the real thing. However, in this case, Secret Blizzard’s AiTM position at the ISP level "is likely facilitated by lawful intercept," the threat hunters noted.
The attackers, who are backed by the Russian government, have been using an adversary-in-the-middle (AiTM) position at the ISP/telco level to gain access to foreign embassies in Moscow. They then deploy their custom ApolloShadow malware, which allows them to spy on diplomats and steal sensitive information from their devices.
The threat actors use a captive portal, a legitimate web page that manages network access like those a user would see when connecting to the internet at an airport or hotel, to redirect target devices behind it. Once the victim's device is behind this captive portal, the attackers initiate the Windows Test Connectivity Status Indicator. This is a legitimate service that determines if a device has internet access by sending an HTTP GET request to hxxp://www.msftconnecttest[.]com/redirect, which should direct to msn[.]com.
In this attack, it redirects to a Secret Blizzard-controlled domain that likely displays a certificate validation error and gets the user to download and execute ApolloShadow. If the device isn't running on default admin settings, the user is presented with a pop-up window that tells them to download fake certificates, named CertificateDB[.]exe, which gives the attackers elevated privileges.
Using their AiTM position, the Russian spies can use DNS manipulation to redirect communications to a Secret Blizzard-controlled command-and-control server, and then send the second-stage payload to the victim's device. This one displays to the victim as a user account control (UAC) pop-up window asking permission to bypass UAC safety mechanisms. If the user clicks "yes," the malware now has the highest-available privileges, which ApolloShadow initially abuses by setting all networks to "private," allowing the host device to become discoverable, and changing firewall rules to enable file sharing.
Finally, ApolloShadow creates an administrative user with the username UpdatusUser and a hardcoded password, set to never expire, on the compromised system using the Windows API NetUserAdd. The malware now has persistent access to the infected host via the newly created local admin user.
To protect against Kremlin spies eavesdropping on devices, Microsoft recommends everyone operating in Moscow — especially sensitive organizations such as foreign embassies — to route all traffic through an encrypted tunnel to a trusted network, not a local ISP. Or, use a virtual private network (VPN) service provider like a satellite-based provider, whose infrastructure is not controlled by Russia or other outside entities.
Microsoft has warned that the attackers have ISP consent to sit on the networks, intercept victims' communications, and push malware to their devices. "We do not have insight into the relationship between the threat actor and the ISP," Microsoft Director Of Threat Intelligence Strategy Sherrod DeGrippo responded. "In certain geopolitical contexts, any ISP may not be acting independently."
The bottom line, she added, is that anyone sending and receiving super sensitive data should use thoroughly vetted networks that are secured with end-to-end visibility. "In a country where the government has deep technical and legal control over ISPs, that infrastructure can become part of the threat surface," DeGrippo said.
This campaign by Secret Blizzard highlights the vulnerability of diplomatic missions in Moscow to cyber-attacks from outside sources. The fact that the attackers have been able to exploit local ISPs to spy on diplomats raises serious concerns about the security of sensitive information and the potential for foreign espionage.
In conclusion, the use of an adversary-in-the-middle (AiTM) position at the ISP/telco level by a Kremlin-backed group to spy on foreign diplomats in Moscow is a concerning development. The attack highlights the vulnerability of diplomatic missions to cyber-attacks from outside sources and underscores the need for enhanced security measures to protect sensitive information.
Related Information:
https://www.ethicalhackingnews.com/articles/Russias-Shadow-Network-How-Kremlin-Backed-Group-Secret-Blizzard-Exploits-Local-ISPs-to-Spy-on-Foreign-Diplomats-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/07/31/kremlin_goons_caught_abusing_isps/
Published: Thu Jul 31 12:13:13 2025 by llama3.2 3B Q4_K_M
