The hacker group Secret Blizzard, associated with the FSB of Russia, employed the state communications interception system (SORM) for cyber espionage against foreign embassies in Moscow.

This information was disclosed in the Microsoft Threat Intelligence report dated July 31, 2025.

According to Microsoft, Secret Blizzard (also known as Turla) initiated a large-scale cyber espionage campaign targeting diplomatic missions operating in Moscow. The hackers accessed Russian internet service providers and utilized their infrastructure to intercept the internet traffic of embassies.

Experts determined that the attack was executed using an Adversary-in-the-Middle (AiTM) technique, which allows interference in the communication between the victim and the server to capture data.

During the attacks, the hackers installed malicious software called ApolloShadow on diplomatic devices, enabling them to perform a so-called HTTPS downgrading attack (TLS/SSL stripping), making the encrypted traffic of victims open, including logins, passwords, authentication tokens, and other sensitive information.

Moreover, ApolloShadow installed a trusted root certificate from "Kaspersky Lab" on the devices, which the victims' systems recognized as secure, allowing hackers to create the illusion of a safe connection even with fake or compromised websites. This granted the group long-term control over the devices of foreign diplomats.

Experts believe that the System for Operational Search Measures (SORM) played a crucial role in this extensive cyberattack, as it is a Russian state system that allows law enforcement agencies to intercept internet traffic in real time.

Secret Blizzard has been identified by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as part of the "Center 16" of the FSB, which ranks among the leading state-sponsored hacking groups globally and is systematically employed by Russia in cyber wars and influence campaigns.