Moscow-based diplomats under scrutiny as Kremlin allegedly uses Internet Service Providers for spying, according to Microsoft's claims.

Moscow-based diplomats under scrutiny as Kremlin allegedly uses Internet Service Providers for spying, according to Microsoft's claims.

In a concerning development, a state-sponsored Russian cyber espionage group known as Secret Blizzard has been found exploiting internet service providers (ISPs) at the ISP level to conduct cyber-espionage campaigns. This group, linked to Russia's Federal Security Service (FSB), has been targeting foreign embassies and diplomatic personnel operating in Moscow [1][2][3][4].

How Secret Blizzard Operates at the ISP Level

The group uses an adversary-in-the-middle (AiTM) position at the ISP level to gain access to foreign embassies' networks and deploy custom ApolloShadow malware [1][4]. They redirect targets through captive portals within the ISP network, tricking victims into downloading malware disguised as legitimate software, such as a fake Kaspersky antivirus update [1][4].

Once installed, ApolloShadow creates a trusted root certificate on victim devices, enabling the spyware to impersonate legitimate websites and intercept encrypted communications [1][4]. The malware also modifies system settings, creates persistent admin accounts, and enables file sharing for long-term access and intelligence gathering [4].

By controlling the ISP-level network, attackers can intercept, read, and manipulate communications between the victim and legitimate services invisibly, effectively harvesting credentials, confidential data, or injecting malicious content [2].

Recommended Security Measures

To protect against such AiTM attacks, organizations are advised to implement several security measures. These include:

1. Use of end-to-end encrypted tunnels such as VPNs or transport layer security (TLS) to prevent interception at the ISP layer [4].
2. Implementing zero-trust and least privilege access principles in IT infrastructure to limit damage if a device is compromised [4].
3. Regular monitoring for unusual network redirects or certificate installations, which may indicate AiTM activity [1][4].
4. Enforcing multi-factor authentication (MFA) to protect access credentials even if intercepted [2].
5. Avoiding reliance on local ISPs’ default networks for sensitive communications when possible, or using secure, trusted external connections [1][3].
6. Frequent security audits and updated endpoint protection to detect and remove custom malware like ApolloShadow [4].

This ongoing campaign, which has been active since at least 2024, underscores the need for strict network encryption and vigilant endpoint defense by targeted organizations [1][4]. By staying informed and implementing these security measures, organizations can better protect themselves against these sophisticated cyber threats.

[1] [Source 1] [2] [Source 2] [3] [Source 3] [4] [Source 4]

1. The cybersecurity threat posed by Secret Blizzard highlights the importance of employing end-to-end encrypted tunnels like VPNs and TLS, as they can prevent interception at the ISP level.
2. In the wake of this cybersecurity concern, organizations should implement zero-trust and least privilege access principles to minimize damage if a device is compromised.
3. To combat AiTM attacks such as those from Secret Blizzard, regular monitoring for unusual network redirects or certificate installations is crucial to detect potential malicious activities.

Read also: