Russian Security Service Infected Foreign Embassies’ Devices With Spy ‘Virus’

Russian internet providers infected the devices of foreign embassy employees with the ApolloShadow program to gain access to confidential and encrypted data.

The details of the cyberattack have been revealed by Microsoft Threat Intelligence, which reported a large-scale espionage cyber operation.

The Russian hacker group Secret Blizzard infected the devices of diplomatic staff with the ApolloShadow spyware when they connected to networks of Russian internet providers.

According to Microsoft, the espionage campaign by the Russian security service has been ongoing since 2024 and was aimed at foreign embassies, diplomatic institutions, and other sensitive organizations located in Moscow.

ApolloShadow masquerades as antivirus software and forges root certificates of files, allowing it to intercept and modify even encrypted data traffic.

Furthermore, the program can collect logins, passwords, authentication tokens, and other critical information, as well as create accounts with admin rights. This provides hackers with continuous access to the infected device and enables covert surveillance.

Thus, Secret Blizzard gains full control over the online activity of devices and the ability to intercept a vast amount of classified information, including correspondence and documents related to international negotiations.

Cyber Operation by the Federal Security Service of the Russian Federation

Microsoft noted that for the cyberattacks, the group used the Russian infrastructure’s built-in System for Operative Investigative Activities (SORM). This system allows Russian security services to monitor phone calls, correspondence, and other data exchanges.

Previously, the U.S. Cybersecurity and Infrastructure Security Agency officially recognized the group Secret Blizzard as part of the 16th Center of the Federal Security Service of the Russian Federation, which is responsible for radio-electronic intelligence and operations on the internet, including data interception and decryption.

Secret Blizzard is primarily interested in foreign ministries, embassies, government institutions, defense agencies, and companies related to defense in various countries around the world.

Their main goal is to gain long-term access to foreign computer systems to secretly collect intelligence. To achieve this, they use a variety of malicious programs, including those that can interact with each other without a central server or are remotely controlled via special channels.

During attacks, they steal documents, PDF files, email content – anything that might have political or intelligence value. They are especially interested in documents and data that could influence international politics.