The Russian hacker group Secret Blizzard used the state communication interception system (SORM) for cyber espionage against foreign embassies in Moscow, according to a report by Microsoft Threat Intelligence. According to the US Cybersecurity and Infrastructure Security Agency (CISA), Secret Blizzard is linked to the FSB Russia Center 16.
As stated in the report, the group organized a large-scale cyber espionage campaign against foreign embassies operating in Moscow no later than 2024. Hackers gained access to Russian internet providers and used their infrastructure to intercept internet traffic of diplomatic institutions.
Hackers used the "adversary-in-the-middle" (AiTM) tactic to deploy specially designed malware called ApolloShadow, which allowed encrypted victim traffic to be exposed, including logins, passwords, authentication tokens, and other sensitive information.
Additionally, ApolloShadow installed a trusted root certificate from "Kaspersky Lab" on devices, which victim systems recognized as safe, allowing hackers to create the appearance of a secure connection even with fake or infected sites. Thus, the group gained long-term control over the devices of foreign diplomats.
Experts believe that the System for Operative Investigative Activities (SORM) played a key role in such a large-scale cyberattack — a Russian state system that allows law enforcement agencies to intercept internet traffic in real-time.