Microsoft has reported that foreign diplomats using Moscow-based internet service providers are at risk of having their data security compromised. According to the company, Russia is deploying an application called ApolloShadow through these providers, disguised as software from Kaspersky Lab. This deceptive application tricks devices into installing browser root certificates, allowing cyber spies to bypass TLS encryption and monitor web activity, including individual identification tokens and credentials.
The campaign has been ongoing since at least 2024 and poses a high risk to foreign embassies, diplomatic missions, and other sensitive organizations in Moscow, especially those relying on local ISPs. This is the first public confirmation of widespread suspicions regarding the use of ISP infrastructure for cyberespionage.
Western intelligence agencies link the threat group "Secret Blizzard" to FSB Center-16 (also known by various codenames such as ATG26, Blue Python, Krypton, Snake/Turla, Uroburos, Venomous Bear, Waterbug, and Wraith). Technically, the attack involves imposing a high-privilege installer and a fake root certificate ("Kaspersky AV"; file named CertificateDB.exe) disguised as Kaspersky software via redirection to a captive portal triggered by Windows Network Connectivity Status Indicator (NCSI). This enables SSL-stripping attacks, downgrading encrypted connections to HTTP, thereby intercepting traffic and credentials.
More broadly, the weakness in the public certificate system arises from reliance on a trust chain terminating at root certificate authorities: compromising or forcibly installing root keys enables interception despite end-to-end encryption.
Microsoft recommends avoiding the use of unsecured Russian networks and routing traffic through encrypted tunnels to trusted networks or VPN providers (including satellite-based) whose infrastructure is not controlled by Russian authorities.
Historically, FSB Center-16 has been linked to early cyberespionage campaigns such as "Moonlit Maze" and the Agent.btz worm in 2008. Similar techniques of masquerading as legitimate brands were observed by ESET between 2016 and 2018 targeting consulates and embassies in Eastern Europe.
