Particle.news

Download on the App Store

Microsoft Confirms FSB Hackers Intercept Diplomatic Traffic Through Russian ISPs

Microsoft’s report confirms that an FSB-linked APT group is manipulating ISP networks in Moscow through the installation of root certificates that strip encryption from diplomatic communications.

Image
Image
Image
The Russian flag flies on the dome of the Kremlin Senate building in central Moscow, Russia, May 4, 2023. REUTERS/Stringer/File Photo

Overview

  • Secret Blizzard, tied to FSB’s Center 16, likely leverages Russia’s SORM lawful intercept system to secure adversary-in-the-middle positions at the ISP level in Moscow.
  • The group exploits captive portals on local ISPs to deploy ApolloShadow malware disguised as Kaspersky updates, tricking embassy staff into installing fraudulent root certificates.
  • Once installed, ApolloShadow disables TLS encryption and redirects diplomatic devices to malicious domains, exposing credentials and browsing data in plaintext.
  • Microsoft first detected the ISP-level intrusions in February 2025 but assesses the campaign has persisted since at least 2024 against an undisclosed number of foreign embassies.
  • Microsoft urges embassies and other sensitive organizations to route traffic through VPNs or encrypted tunnels and enforce zero-trust controls to guard against ISP-level espionage.