Kremlin goons caught abusing ISPs to spy on Moscow-based diplomats, Microsoft says

Russian cyberspies are abusing local internet service providers' networks to target foreign embassies in Moscow and collect intel from diplomats' devices, according to a Microsoft Threat Intelligence warning.

Redmond detailed the ongoing cyber-espionage campaign, active since at least 2024, and carried out by a Kremlin-backed group it tracks as Secret Blizzard (aka VENOMOUS BEAR, Turla, WRAITH, ATG26) in a Thursday report. Microsoft declined to say how many organizations were targeted, or successfully infected, in this campaign.

The threat hunters first observed one such Secret Blizzard snooping mission in February. Putin's spies, according to Microsoft, used an adversary-in-the-middle (AiTM) position at the ISP/telco level to gain access to foreign embassies located in Moscow and deploy their custom ApolloShadow malware. 

In an AiTM attack, the attacker intercepts communications between two parties, such as the victim's device and website they are trying to access. The attacker can then read messages ...