The hacker group Secret Blizzard, closely associated with the FSB of Russia, exploited state resources for cyber espionage against foreign diplomatic missions in Moscow.

This information was disclosed by Microsoft in its report released on July 31, 2025.

According to Microsoft, Secret Blizzard (also known as Turla) launched an extensive cyber espionage campaign targeting embassies operating in Moscow. The hackers gained access to Russian internet service providers, utilizing their infrastructure to intercept diplomatic traffic.

Experts identified that the attacks were carried out using the Adversary-in-the-Middle (AiTM) technique, which allows for interference in communication between the victim and the server to capture sensitive data.

During the attacks, the hackers installed malicious software called ApolloShadow on diplomatic devices, enabling them to perform so-called HTTPS downgrade attacks (TLS/SSL stripping), thus exposing encrypted traffic, including logins, passwords, authentication tokens, and other sensitive information.

Additionally, ApolloShadow installed a trusted root certificate from "Kaspersky Lab" on the devices, which the victims' systems recognized as secure, allowing the hackers to create the illusion of a safe connection even with fake or compromised websites. As a result, the group maintained long-term control over the devices of foreign diplomats.

Experts believe that the Operational Search Measures System (SORM), a Russian state system that allows authorities to intercept internet traffic in real-time, played a crucial role in this large-scale cyber attack.

Secret Blizzard has been identified by the Cybersecurity and Infrastructure Security Agency (CISA) as part of the "Center 16" of the FSB. This entity ranks among the leading state-sponsored hacker groups globally and is systematically used by Russia in cyber warfare and influence campaigns.