Full Report
A new Microsoft report finds that the long-running threat group has gained positions on state-aligned ISPs and Russian telecoms, while tricking foreign embassy staff to download custom malware. The post Russia-affiliated Secret Blizzard conducting ongoing espionage against embassies in Moscow appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Secret Blizzard
## Attribution & Identity
* **Affiliation:** Russia-affiliated, nation-state threat group.
* **Associated Group:** Believed to be affiliated with Center 16 of Russia’s Federal Security Service (FSB).
* **Aliases:** Turla, Pensive Ursa, Waterbug.
* **Characteristics:** Described as the "classic definition" of an Advanced Persistent Threat (APT): creative, persistent, well-resourced, and highly organized.
## Activity Summary
* **Campaign Focus:** Ongoing espionage against foreign diplomats operating in Moscow.
* **Timeline:** Active since at least 2024 (when access was confirmed by Microsoft researchers).
* **Capability Shift:** The group is evolving from simple traffic monitoring to actively modifying network traffic to infiltrate targets, achieving "adversary-in-the-middle" positions on Russian ISP and telecom networks.
* **Objective:** Gaining persistent access to diplomatic devices to view communications and data, often in plain text.
## Tactics, Techniques & Procedures
* **Initial Access via Social Engineering:** Redirecting embassy staff attempting to access state-aligned networks through a captive portal to a malicious domain.
* **Deceptive Prompts:** Displaying a false certificate validation error to trick victims.
* **Malware Deployment:** Tricking victims into downloading root certificates falsely branded as Kaspersky Anti-Virus software, which deploys **ApolloShadow** malware.
* **Network Modification:** ApolloShadow disables traffic encryption and forces devices to trust malicious sites as legitimate.
* **Persistence:** Maintaining persistent access to diplomatic devices for espionage.
* **Data Exfiltration:** Viewing the majority of the target’s browsing in plain text, including tokens and credentials.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text.
## Targeting
* **Sectors:** Diplomatic/Embassy staff.
* **Geography:** Moscow (targeting entities operating within Russia).
* **Victims:** Foreign embassies operating in Moscow.
## Tools & Infrastructure
* **Malware Families Used:** ApolloShadow (custom malware).
* **Infrastructure:** Gaining "adversary-in-the-middle" positions on state-aligned Internet Service Providers (ISPs) and Russian telecom networks.
* **Defanged URLs/IPs:** Malicious domains used for redirection (specific domains not listed/defanged in the provided text).
## Implications
* Secret Blizzard has achieved a high level of network access (ISP level) within Russia, blending passive surveillance with active intrusion, significantly increasing the risk to diplomatic communications.
* The use of sophisticated social engineering targeting normal security habits while leveraging trusted brands (Kaspersky) highlights their creativity.
* The ability to decrypt and read traffic in plain text exposes sensitive diplomatic communications, credentials, and tokens.
## Mitigations
* Security awareness training emphasizing vigilance concerning certificate errors and security prompts, especially when using state-aligned or unfamiliar networks in high-surveillance environments.
* Thorough examination of security alerts and certificates before accepting or installing root certificates, particularly when presented after accessing captive portals.
* Assume network traffic on local state-aligned Russian networks is compromised or subject to modification/passive surveillance.