Microsoft Reveals Russian ISP-Level Cyber Campaign

Microsoft Threat Intelligence has exposed a sophisticated espionage operation, codenamed Secret Blizzard, that leverages control over Russian ISPs to launch adversary-in-the-middle (AiTM) attacks against foreign embassies located in Moscow. The primary objective is to force the installation of a malicious TLS root certificate via a custom backdoor, ApolloShadow, enabling cryptographic impersonation and long-term intelligence gathering.

Campaign Overview and Timeline

First observed in mid-2024, this campaign exploits the statutory obligations of Russia’s major Internet Service Providers to intercept diplomatic traffic. By positioning themselves at the network level, the threat actors can transparently redirect embassy personnel to attacker-controlled domains masquerading as trusted sites, facilitating the stealthy delivery of malware.

Adversary-in-the-Middle at the ISP Level

Unlike traditional network-based attacks, Secret Blizzard’s AiTM approach operates:

• At the ISP edge—allowing the attackers to manipulate DNS responses and HTTP redirects before they reach embassy networks.
• With transparency to the endpoint—users see legitimate URLs (e.g., msn.com) despite being routed through malicious proxies.
• Leveraging captive portal methods to initiate the Windows Test Connectivity Status Indicator process, a standard OS component (http://www.msftconnecttest.com/redirect), in order to intercept and replace the final redirect with an attacker-controlled page.

Payload Delivery: ApolloShadow

Once the malicious redirect triggers a browser certificate error, targets are prompted to download CertificateDB.exe, disguised as a Kaspersky installer. Upon execution, ApolloShadow performs:

1. Privilege enumeration via the GetTokenInformationType API to determine if it can silently inject a root CA certificate.
2. If privileges are insufficient, it spawns a UAC prompt requesting elevation, using a second-stage VBScript delivered from a spoofed timestamp.digicert.com/registered endpoint.
3. Installation of a rogue TLS root certificate, enabling interception of SSL/TLS sessions and decryption of hosted traffic.
4. Reconfiguration of all Windows network profiles to Private, relaxing firewall rules (e.g., SMB file sharing ports) to facilitate potential lateral movement.

Technical Deep Dive

For defenders, understanding each link in the chain is critical:

• Captive Portal Abuse: The attackers exploit legitimate RADIUS and CoA (Change of Authorization) workflows in ISP captive portals to inject malicious HTML/JS, triggering the OS connectivity check.
• TLS Root Kit: ApolloShadow’s root certificate is signed using parameters mimicking DigiCert’s signature hierarchy, making detection by automated certificate validation tools challenging.
• Persistence Mechanisms: Beyond root trust, ApolloShadow schedules a Windows Task (via schtasks.exe) that reinvokes the payload at boot, ensuring long-term access.

Global and Geopolitical Implications

This operation has broader ramifications for diplomatic security and international law:

“This campaign marks a significant evolution in state-level cyber espionage, blending legal ISP mandates with classical MiTM tactics,” said Dr. Elena Petrova, Senior Analyst at the Cyber Threat Alliance.

With major summits and elections on the horizon, compromised diplomatic channels risk leaking sensitive policy discussions and negotiation strategies. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory recommending stricter certificate pinning and Zero Trust architectures for high-value networks.

Mitigations and Best Practices

Organizations operating within or communicating with Moscow-based entities should consider the following defenses:

• Encrypted Tunneling: Route all embassy traffic through an out-of-country VPN or Software-Defined Perimeter (SDP) that enforces mutual TLS and certificate pinning.
• Zero Trust Network Access (ZTNA): Replace legacy VPN with identity- and attribute-based access controls to minimize implicit trust in network appliances.
• Network Segmentation: Isolate diplomatic workstations on a separate VLAN with dedicated firewall rules, blocking unwanted SMB and RPC traffic.
• Certificate Monitoring: Deploy automated tools to detect the introduction of unknown root CAs in Windows Certificate Store and Linux trust stores.

Conclusion

Secret Blizzard’s ISP-level AiTM campaign underscores the necessity of a layered security approach combining technical controls, policy enforcement, and continuous monitoring. By hardening network perimeters and scrutinizing certificate trust chains, diplomatic missions can mitigate the risk of in-country espionage and safeguard critical communications.