The Russian hacker group Secret Blizzard, linked to the FSB, has utilized a communication interception system for espionage against foreign embassies in Moscow.

This information is outlined in the Microsoft Threat Intelligence report dated July 31, 2025.

According to Microsoft, Secret Blizzard (also known as Turla) initiated a large-scale cyber espionage campaign targeting embassies operating in Moscow. The hackers accessed Russian internet service providers and exploited their infrastructure to intercept the internet traffic of diplomatic entities.

Experts discovered that the attack was executed using the "Adversary-in-the-Middle" technique, which allows intruding into the communication between the victim and the server to intercept data.

During the attacks, the hackers installed malware named ApolloShadow on diplomatic devices, enabling what is called an "HTTPS downgrade attack" (TLS/SSL stripping), thereby exposing encrypted traffic of the victims, including logins, passwords, and authentication tokens.

Additionally, ApolloShadow installed a trusted root certificate from "Kaspersky Lab" on the devices, which the victims' systems recognized as secure, allowing hackers to create the illusion of a safe connection even with fake or compromised websites. This provided the group with long-term control over the devices of foreign diplomats.

Experts believe that a crucial role in this extensive cyber attack was played by the Russian Operational Search Measures System (SORM), which enables security agencies to intercept internet traffic in real-time.

Secret Blizzard has been identified by CISA as a subdivision of the FSB's "Center 16," a leading entity among state-sponsored hacker groups worldwide, systematically employed by Russia in cyber warfare and influence campaigns.