Secret Blizzard: Kremlin-Backed ISP-Level Cyber Espionage Targeting Diplomats in Moscow

In a revelation that has sent shockwaves through diplomatic circles and cybersecurity communities alike, recent investigations have exposed a Kremlin-backed espionage campaign leveraging local internet service providers (ISPs) within Moscow to target foreign embassies and siphon intelligence from diplomats’ devices. According to a detailed warning published by Microsoft Threat Intelligence, this sophisticated operation is orchestrated by a threat actor Microsoft tracks as Secret Blizzard—a group known in industry parlance by aliases including VENOMOUS BEAR, Turla, WRAITH, and ATG26. This campaign, active since at least early 2024, utilizes network-level manipulation techniques that pose a significant threat to anyone operating sensitive infrastructure within Russia’s borders.

Unmasking Secret Blizzard: Old Hands, New Tactics​

Secret Blizzard is widely suspected to be a unit affiliated with Russian intelligence services, with a long history of targeting diplomatic and governmental entities across the globe. What makes this fresh wave of attacks especially alarming—and potentially precedent-setting—is its abuse of the very infrastructure trusted by millions: local ISPs.
Whereas adversary-in-the-middle (AiTM) attacks have traditionally relied on imposter Wi-Fi hotspots with lookalike network names, this operation pivots to a much deeper layer. By securing an AiTM position at the ISP or telecommunications level, the attackers bypass the need to trick their targets at the network selection phase—the ISPs themselves facilitate the surveillance, whether knowingly or under coercive lawful intercept requirements.
Microsoft threat hunters first observed a significant campaign instance in February, noting that the attackers commandeered the ISP-level vantage to deploy their custom ApolloShadow malware specifically against embassy networks. The company declined to specify the number of affected organizations or infection success rates, highlighting the ongoing and sensitive nature of its investigations.

Anatomy of the Attack: From Captive Portals to Full System Takeover​

Captive Portal Deception​

The campaign begins when a diplomat or staff member attempts to connect to the internet from within Moscow. Instead of simply interfacing with the legitimate ISP infrastructure, their device is silently redirected behind a captive portal—a familiar sight to anyone who’s logged in at an airport, hotel, or café. Unlike a routine network access page, however, this portal is weaponized to manipulate subsequent system behavior.

Exploiting Connectivity Checks​

Here, the attackers exploit a little-known facet of Windows’ networking stack—the Windows Test Connectivity Status Indicator. Whenever a Windows device checks internet availability, it makes an HTTP GET request to hxxp://www.msftconnecttest[.]com/redirect, which should seamlessly reroute to msn[.]com. Instead, through DNS redirection powered by the malicious ISP foothold, the request resolves to a Secret Blizzard-controlled domain. This redirection likely results in a certificate validation error, nudging the victim to “remedy” the connection problem by downloading what appears to be legitimate certificates or software.
If the victim’s device is running with default administrative rights, the attacker’s ApolloShadow malware is installed directly. Should the device have stricter user controls enabled, the victim is tricked into downloading a fake “CertificateDB.exe” file—purportedly to resolve network trust issues—which grants the attackers the elevated privileges needed for installation.

TLS/SSL Stripping and Data Exposure​

Once the malware takes hold, the attackers employ advanced techniques such as TLS/SSL stripping, which removes the encryption layer from the victim’s internet traffic. According to Microsoft’s analysis, this effectively renders much of the victim’s browsing, including potentially confidential communications and authentication tokens, visible to the attackers in clear text.
By leveraging their in-line position at the ISP, Kremlin hackers can manipulate DNS responses, redirect traffic to attacker-controlled command-and-control servers, and orchestrate the delivery of a second-stage payload. Victims are confronted with an innocuous-looking User Account Control (UAC) prompt—if accepted, the malware achieves highest-available privileges on the device.

System Manipulation and Persistent Access​

With admin access in hand, ApolloShadow begins to systematically weaken the host device’s defenses. It:

• Sets all network types to “private,” making the device discoverable on the local network.
• Alters firewall rules to enable file sharing and reduce resistance to lateral movement.
• Creates a persistent administrative backdoor account named “UpdatusUser,” with a hardcoded, never-expiring password using the NetUserAdd Windows API. This ensures Secret Blizzard operatives have enduring remote access to the compromised system, even if the malware itself is removed.

Microsoft has not yet observed evidence of lateral movement, but its telemetry suggests these network and policy modifications are made explicitly to prepare for such moves. By lowering the device’s network posture, attackers simplify the challenge of harvesting additional credentials or moving deeper into embassy IT environments.

From Lawful Intercept to Spyware: The Murky Role of Local ISPs​

Perhaps the most disturbing aspect of the campaign lies in its reliance on the “lawful intercept” capabilities built into modern ISP infrastructure. By regulatory design, ISPs are often required to provide government agencies a means to monitor and intercept network traffic for legal investigations. In Russia, where government control and oversight of the telecommunications sector is both technical and legal, the boundary between lawful monitoring and clandestine espionage is alarmingly thin.
When pressed by The Register, Microsoft declined to specify whether the ISPs involved acted with informed consent or under duress—noting only that, in “certain geopolitical contexts, any ISP may not be acting independently.” As Sherrod DeGrippo, Microsoft’s Director Of Threat Intelligence Strategy, explained: “In a country where the government has deep technical and legal control over ISPs, that infrastructure can become part of the threat surface.”
This comment echoes long-standing warnings from privacy advocates and Western intelligence agencies about the dangers of operating in high-risk environments where ISPs are extensions of, or are subordinate to, the state security apparatus. The revelation that these capabilities are now actively being used for tactical malware delivery—rather than purely passive surveillance—marks a strategic escalation in cyber-espionage tradecraft.

Historical Perspective: Turla Group’s Track Record​

The group behind Secret Blizzard, Turla, has a well-documented pedigree in Russian cyber operations. Since at least the mid-2000s, Turla has been linked to operations targeting NATO, European government ministries, defense contractors, and other sensitive entities. Security vendors such as Kaspersky Lab and FireEye have tracked their evolving toolkits, from the early Snake/Uroburos implants to more recent, living-off-the-land attacks that co-opt native system utilities and cloud-based infrastructure.
Secret Blizzard’s adoption of ISP-level AiTM techniques is both an evolution in scale and a nod to classic intelligence doctrine: if you control the communication channel, you control (or at least see) the data.

Critical Analysis: Unprecedented Threat, Predictable Response?​

The Strengths of Secret Blizzard’s Approach​

• Deep Access: By abusing lawful intercept at the ISP layer, Secret Blizzard sidesteps many endpoint protections, gaining access at a level most organizations do not directly monitor.
• Trusted Infrastructure Subversion: ISPs typically maintain reputational trust by customers. Malicious activity originating from these providers bypasses most blacklists or geofencing strategies.
• Stealth: The use of legitimate processes, like Windows connectivity checks and certificate prompts, allows for social engineering with a veneer of authenticity.
• Operational Security: The campaign leverages ephemeral domains and rapid infrastructure rotation, making incident response and attribution more difficult.

Major Risks and Limitations​

• Detection Potential: While endpoint detection is weakened, agencies with robust network monitoring (especially using off-premises or satellite connectivity) are more likely to spot anomalous traffic or failed certificate checks.
• Dependency on User Interaction: The attack still requires some form of human error (downloading malware, clicking UAC prompts), though it is heavily aided by the plausibility of network disruptions and trust in “official” ISP messages.
• Attribution Complexities: The campaign’s reliance on infrastructure controlled by the Russian state complicates international response and raises the stakes for diplomatic fallout. There is an inherent risk that undisclosed counter-espionage capabilities could be exposed in the process.

Implications for Diplomats and International Organizations​

This campaign is a powerful case study in the risks associated with operating critical missions within adversarial jurisdictions. Even with standard security hygiene—endpoint protection, OS patching, cautious web habits—attackers who control the local internet backbone can negate many defensive layers. The “trusted” relationship between user and ISP is a vulnerability that cannot always be patched.
Diplomatic missions have long been aware of physical surveillance and signal interception risks in Moscow. However, the abuse of digital infrastructure designed for legitimate investigative purposes is a stark reminder: technical sovereignty, especially in autocratic states, is a sword that cuts both ways.

Microsoft’s Recommendations: Is There Any Real Safety?​

Microsoft’s guidance for diplomats and high-risk personnel in Moscow is unambiguous:

• Never trust the local ISP with sensitive communications under these circumstances.
• Route all network traffic through an encrypted tunnel (such as a government-operated VPN or secure satellite provider) that is entirely controlled outside of Russian jurisdiction.
• Avoid physical reliance on local infrastructure where possible, including Wi-Fi, Ethernet, and mobile carrier links that traverse Russian backbone networks.

These recommendations are consistent with longstanding best practices for operating in hostile environments, echoed by institutions such as the U.S. State Department and NATO. However, they come with substantial operational burdens—secure VPNs and satellite links are expensive, require specialized support, and may themselves be subject to increased scrutiny or signal jamming.

The Bigger Picture: Global Reverberations​

This campaign’s exposure will inevitably accelerate a broader sense of caution among international organizations working in autocratic states. The weaponization of lawful intercept, coupled with advanced social engineering and endpoint manipulation, is a wake-up call for anyone whose operations depend upon the integrity of hostile-state infrastructure.
While Secret Blizzard’s campaign is notable for its apparent sophistication and scale, it represents an evolution of tactics rather than a complete revolution. Western intelligence services have long suspected, and occasionally directly accused, Russian state organs of manipulating local ISPs for both passive and active attacks.
However, this level of technical detail—involving forced captive portals, exploitation of platform-native connectivity checks, dynamic UAC social engineering, and infrastructural weaponization—marks a new frontier in the steady convergence of nation-state cyber operations and the insidious reach of everyday telecommunications.

Is There an Endgame?​

For now, Secret Blizzard’s operations serve as a grim case study in state-enabled cyberespionage—a template that may well be replicated by other globally resourced adversaries. The challenge for defenders, especially those restricted to operating within sovereign borders, is to continually adapt, leveraging externalized infrastructure, multifactor authentication, and, crucially, an informed and vigilant end user.
But with ISPs themselves co-opted into the arsenal of cyberattackers, the margin for human error has never been slimmer.

Takeaways for the Windows Community​

Whether you are a diplomat, an international businessperson, or simply a Windows enthusiast interested in the intersection of operating system design and geopolitics, Microsoft’s detailed public disclosure serves as both an indictment of infrastructural trust and a call to harden every conceivable layer.

• Keep systems updated but recognize that patching alone cannot protect against infrastructure-level threats.
• Use VPNs and secure tunnels where feasible, preferably those not routed through adversarial jurisdictions.
• Educate users on the risks of unexpected certificate errors, UAC prompts, and the deceptive tactics now in widespread use by advanced persistent threat actors.
• Advocate for independent network infrastructure, wherever feasible, when operating in high-risk locales.

As cyberspace becomes ever more entangled with nation-state interests, the old boundaries between “civilian” connectivity and national defense have all but disappeared. The story of Secret Blizzard and the weaponized Moscow ISP is not a one-off—it is the shape of things to come.

A Final Word: Vigilance, Not Paranoia​

It is tempting to frame these revelations as an insurmountable obstacle for anyone operating from within hostile territory. Yet history shows that every technical escalation produces its own set of defensive innovations. The real challenge for organizations is to remain clear-eyed—to recognize that “normal” infrastructure can, overnight, become part of a hostile toolchain.
No antivirus update or system patch will replace the careful vetting of network providers, nor the situational awareness needed in today’s digital minefield. For diplomats in Moscow, and indeed, for all high-value targets, the only safe assumption is that the infrastructure itself is contested ground.
With Microsoft, independent threat researchers, and international media shining a spotlight on the mechanics of modern cyber espionage, the avenue for silent, unchecked state surveillance has undoubtedly narrowed—but the threat has not disappeared. In the interconnected world of Windows, ISPs, and geopolitical intrigue, the defenders must never sleep.

---

Source: theregister.com Kremlin goons caught abusing local ISPs to spy on diplomats