Particle.news
Download on the App Store
11 ARTICLES
·
19h ago

Microsoft Confirms FSB-Linked Hackers Exploit Russian ISPs to Spy on Moscow Embassies

It employs captive portal redirection with counterfeit Kaspersky certificates to plant ApolloShadow malware that strips TLS encryption

Image
Image
The Russian flag flies on the dome of the Kremlin Senate building in central Moscow, Russia, May 4, 2023. REUTERS/Stringer/File Photo
Image

Overview

  • Microsoft Threat Intelligence confirmed that Secret Blizzard has established adversary-in-the-middle positions at multiple Russian ISPs to intercept embassy network traffic in Moscow.
  • The FSB-affiliated group tricks diplomatic staff into installing ApolloShadow by redirecting them through captive portals that prompt counterfeit Kaspersky root-certificate updates.
  • Once deployed, ApolloShadow disables TLS/SSL encryption and installs trusted root certificates to maintain persistent access and harvest plaintext browsing data, including tokens and credentials.
  • The espionage campaign has been active since at least 2024 and remains ongoing, with Microsoft declining to specify which embassies—including the US mission—were compromised.
  • This operation marks a shift from passive lawful intercept to active ISP-level network manipulation, highlighting the need for end-to-end encryption and vetted communication channels.