#1 Middle East & Africa Trusted Cybersecurity News & Magazine |

42 C
Dubai
Saturday, August 2, 2025
HomeTopics 1Advanced Persistent ThreatRussian FSB‑Linked “Secret Blizzard” Launches ISP‑Level AiTM Campaign Against Moscow Embassies

Russian FSB‑Linked “Secret Blizzard” Launches ISP‑Level AiTM Campaign Against Moscow Embassies

Date:

Related stories

Jordan’s Cyber Incidents Soar: NCC Reports 6,758 Attacks in 2024

On 31 July 2025, Jordan’s National Cybersecurity Center (NCC) revealed that...

Allianz Life Suffers Data Breach via External Hack: Consumer Data at Risk

Allianz Life Insurance Company of North America has disclosed...
spot_imgspot_imgspot_imgspot_img

Microsoft Threat Intelligence has uncovered an advanced cyberespionage campaign by Russian state‑aligned actor Secret Blizzard (also known as Turla) targeting foreign embassies in Moscow using an ISP‑level adversary‑in‑the‑middle (AiTM) position to deploy its custom malware, ApolloShadow, effectively stripping TLS encryption from diplomatic devices. This marks a new level of intrusion leveraging state‑controlled telecom infrastructure-raising urgent cybersecurity concerns globally.

  • Since February 2025, Secret Blizzard has been conducting an ongoing AiTM campaign against foreign diplomatic missions in Moscow, exploiting ISP-level control to intercept traffic and deliver ApolloShadow malware disguised as a Kaspersky AV certificate installer.
  • This marks the first confirmed instance of an FSB-linked actor operating at the ISP level inside Russia, using legal intercept infrastructure like SORM to facilitate man‑in‑the‑middle positioning.
  • The campaign has targeted embassies relying on local telecom services effectively rendering even encrypted browsing visible to the threat actor.

Technical Analysis: ApolloShadow Malware & Attack Chain

Deployment Mechanism

  • Upon connecting to the internet, victims’ devices trigger a captive portal check (msftconnecttest.com/redirect) that is hijacked to direct users to malicious domains.
  • Users are prompted to install CertificateDB.exe, masquerading as a legitimate Kaspersky installer, which installs custom root certificates to intercept TLS traffic.

Malware Behavior

  • The malware persists by installing root certificates and modifying network profiles to Private, relaxing firewall settings to enable lateral movement.
  • Admin user account creation and registry changes reinforce attacker persistence. ApolloShadow also exfiltrates host configuration via encoded C2 communications.

MITRE ATT&CK Mapping & IoCs

PhaseTechniqueMITRE IDDescription
Initial AccessAdversary-in-the-MiddleT1557ISP‑level redirection via captive portal
ExecutionUser ExecutionT1204‘CertificateDB.exe’ installer prompts
PersistenceCreate AccountT1136New local admin user
Defense EvasionRoot Certificate ManipulationT1553.002Trusted cert install for TLS stripping
ExfiltrationExfil via C2 over WebT1041Network config encoded in GET query

Indicators of Compromise (IoCs):

  • Domain: kav‑certificates[.]info
  • IP: 45.61.149.109
  • SHA256: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
  • Filename: CertificateDB.exe

Expert Commentary

“This blurs the boundary between passive surveillance and actual intrusion,” says Sherrod DeGrippo, Microsoft’s Director of Threat Intelligence Strategy, describing how Secret Blizzard weaponized ISP infrastructure for espionage.(Reuters)

“It doesn’t leverage any zero‑day or software vulnerability… it’s about controlling the infrastructure,” DeGrippo added, highlighting the stealth and resilience of the AiTM approach.(WIRED)

MEA & Global Cybersecurity Context

While this campaign is geographically limited to Moscow-based diplomatic targets, the tactics pose a wider warning: state-aligned control of telecom infrastructure can be abused anywhere—especially where ISPs are obliged to intercept or monitor traffic. Security teams around MEA and globally told to assess highly trusted local networks or public infrastructure.

In comparison, other cyber espionage groups like Void Blizzard and Seashell Blizzard have leveraged more conventional methods such as spear phishing and backdoors to target NATO states since 2024.

Actionable Takeaways

  1. Enforce Encrypted Tunnels & VPN: Route traffic through encrypted, trusted networks to prevent interception.
  2. Use Alternative Internet Providers: Consider satellite-based or foreign ISPs for sensitive users in high-risk regions.
  3. Block Root Cert Installation: Harden endpoint policies to prevent unauthorized certificate trust stores.
  4. Enable MFA & Least Privilege: Enforce strict privilege models even if credentials are intercepted.
  5. Monitor Certutil Activity: Flag or block unexpected certificate utility usage at endpoints.
  6. Harden UAC Policies: Prevent unauthorized elevation prompts and block unknown executables.
  7. Audit Firewall & Network Profiles: Review changes to private network settings and discovery rules.
  8. Implement Threat Intelligence Feeds: Monitor IoC lists for domains, IPs, hashes.
  9. Onboard Zero Trust Architecture: Validate trust per session, not per location or network.
  10. Educate Diplomatic Staff: Train teams on captive portal phishing and adversary-in-the-middle risk.

Conclusion

Secret Blizzard’s novel use of ISP-level AiTM to deploy ApolloShadow underscores a shift in espionage tradecraft—away from exploiting software vulnerabilities and towards weaponizing infrastructure trust. For diplomatic and high-profile entities operating in adversarial environments, traditional cybersecurity measures are no longer sufficient. Organizations must adopt secure network routing, rigorous endpoint hardening, and zero-trust principles to reduce exposure to this emerging threat vector.

Sources

  • Microsoft Security Blog: “Frozen in transit: Secret Blizzard’s AiTM campaign” (31 July 2025)(The Hacker News, Microsoft)
  • Ars Technica: “Microsoft catches Russian hackers targeting foreign embassies” (31 July 2025)(Ars Technica)
  • The Hacker News: “Secret Blizzard Deploys Malware in ISP‑Level AitM Attacks” (31 July 2025)(The Hacker News)
  • Reuters: “Russia’s FSB targets foreign embassies in Moscow” (31 July 2025)(Reuters)
  • Microsoft Threat Intelligence: Void Blizzard & Seashell Blizzard profiling (2025)(Microsoft)
Ouaissou DEMBELE
Ouaissou DEMBELEhttp://cybercory.com
Ouaissou DEMBELE is a seasoned cybersecurity expert with over 12 years of experience, specializing in purple teaming, governance, risk management, and compliance (GRC). He currently serves as Co-founder & Group CEO of Sainttly Group, a UAE-based conglomerate comprising Saintynet Cybersecurity, Cybercory.com, and CISO Paradise. At Saintynet, where he also acts as General Manager, Ouaissou leads the company’s cybersecurity vision—developing long-term strategies, ensuring regulatory compliance, and guiding clients in identifying and mitigating evolving threats. As CEO, his mission is to empower organizations with resilient, future-ready cybersecurity frameworks while driving innovation, trust, and strategic value across Sainttly Group’s divisions. Before founding Saintynet, Ouaissou held various consulting roles across the MEA region, collaborating with global organizations on security architecture, operations, and compliance programs. He is also an experienced speaker and trainer, frequently sharing his insights at industry conferences and professional events. Ouaissou holds and teaches multiple certifications, including CCNP Security, CEH, CISSP, CISM, CCSP, Security+, ITILv4, PMP, and ISO 27001, in addition to a Master’s Diploma in Network Security (2013). Through his deep expertise and leadership, Ouaissou plays a pivotal role at Cybercory.com as Editor-in-Chief, and remains a trusted advisor to organizations seeking to elevate their cybersecurity posture and resilience in an increasingly complex threat landscape.

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

spot_imgspot_imgspot_imgspot_img

LEAVE A REPLY

Please enter your comment!
Please enter your name here