Particle.news
Download on the App Store
11 ARTICLES
·
23h ago

FSB-Linked Hackers Leverage Russian ISPs to Spy on Moscow Embassies

Microsoft’s analysis shows the operation hijacks SORM-enabled ISP infrastructure to deliver ApolloShadow malware that strips diplomatic web encryption.

Image
Image
The Russian flag flies on the dome of the Kremlin Senate building in central Moscow, Russia, May 4, 2023. REUTERS/Stringer/File Photo
Image

Overview

  • Microsoft confirms for the first time that the FSB-affiliated group Secret Blizzard holds adversary-in-the-middle positions at the ISP level to intercept embassy communications.
  • The campaign exploits Russia’s lawful‐intercept SORM system to redirect diplomats through captive portals that install ApolloShadow malware disguised as a Kaspersky update.
  • Once deployed, ApolloShadow installs rogue root certificates to strip TLS/SSL encryption and expose browsing data and credentials in plaintext.
  • Active since at least 2024 and first detected by Microsoft in February 2025, the ongoing operation continues to threaten foreign missions and sensitive organizations in Moscow.
  • To mitigate the risk, Microsoft advises routing embassy traffic through encrypted tunnels or VPNs and enforcing multifactor authentication.