A sophisticated Russian state-sponsored cyberespionage group known as Turla—also identified by names such as Snake, Venomous Bear, Secret Blizzard, and Microsoft’s designation ApolloShadow—is employing a new and highly insidious espionage tactic. Rather than relying solely on conventional malware delivery methods, Turla has leveraged its influence and access within Russia’s internet infrastructure to directly inject spyware onto the computers of foreign diplomats and embassy staff residing in Moscow by manipulating local internet service providers (ISPs). This new method represents a significant evolution in cyberespionage tactics, blending aggressive, targeted intrusion with state-enabled network-level access.
Background on Turla and Its Espionage Capabilities
Turla is widely recognized as one of Russia’s most advanced hacking collectives affiliated with the Federal Security Service (FSB), Russia’s domestic intelligence agency. The group is infamous for pioneering some of the most creative and complex cyber espionage campaigns ever observed, including the use of satellite-based malware communications, commandeering other hacker groups’ infrastructure, and deploying USB worms to infect air-gapped computers.
Throughout the years, Turla has operated globally, targeting government organizations, diplomatic missions, and other high-value intelligence assets in around 50 countries. Their operations range from advanced persistent threats to supply-chain compromises and innovative malware deployment.
New Attack Vector: Exploiting Russian ISPs
In a report published at the end of July 2025, Microsoft’s cybersecurity division revealed how Turla has adopted a novel and highly effective tactic by exploiting Russian ISPs to infect and surveil foreign diplomatic targets within Russia. Instead of infiltrating target systems directly through traditional cyberattacks, Turla is now using its access to the local telecommunication infrastructure to intercept and manipulate internet traffic at the ISP level—a method that significantly complicates detection and response.
This method reportedly relies on Russia’s “lawful intercept” system, known as SORM, which requires telecommunications firms to install government-controlled monitoring equipment, allowing the FSB to surveil communications in real time. Turla is believed to use SORM extensively to access and manipulate network traffic.
How the Attack Works
The cyberespionage operation involves what is known as an adversary-in-the-middle (AiTM) attack. Specifically, foreign diplomats and embassy personnel attempting to access the internet in Moscow are silently redirected to fake captive portals—the login pages typically encountered at airports, hotels, or cafes to control public internet access.
When the target’s device tries to verify internet connectivity via Microsoft’s Connectivity Status Indicator—a legitimate Windows feature that sends requests to Microsoft websites to confirm online status—Turla’s manipulation intercepts this request. Victims are then presented with a false system error prompting them to install an urgent “security certificate update.” This update is disguised as software from the reputable Russian cybersecurity company Kaspersky, cleverly increasing its plausibility.
Once users download and install this update, they unknowingly install the ApolloShadow malware. This malicious software disables encryption on the victim’s browsers by installing a rogue root certificate, effectively stripping HTTPS protections from all their web traffic. As a result, all data transmitted from the compromised devices—ranging from usernames and passwords to sensitive diplomatic communications—becomes accessible to the ISP operators and, by extension, the Russian intelligence agencies collaborating in the espionage operation.
Sherrod DeGrippo, Microsoft’s Director of Threat Intelligence Strategy, described this as a “clever tactic” that’s far less conspicuous than conventional spyware while still achieving extensive surveillance capabilities. She emphasized that this method blurs typical distinctions between passive surveillance and active intrusion—since it harnesses state control over infrastructure rather than exploiting zero-day software vulnerabilities.
Target Profile and Scope
Microsoft’s analysis indicates the primary targets of these attacks are personnel at foreign embassies within Moscow. Although specifics have not been publicly disclosed regarding which countries’ embassies were compromised, the use of a Kaspersky-branded spoof suggests the United States government’s diplomatic missions were likely spared, as Kaspersky software is banned from U.S. government systems, and Microsoft has not confirmed any targeting of the U.S. embassy.
Other diplomatic missions utilizing local ISPs within the Russian capital, however, are considered at high risk, with some victims alerted by Microsoft after detection. The operation’s scope appears focused on intelligence interception rather than financial theft or data destruction, reflecting the Kremlin’s priority on gaining diplomatic and strategic insights.
Relation to Broader Russian Cyber Espionage
Turla’s ISP-level intrusion is not entirely without precedent. In past years, cybersecurity researchers from firms like ESET have documented methods employed by Russian or Belarusian intelligence-linked groups to compromise victims via ISP-level manipulations, including the delivery of commercial spyware such as FinFisher disguised as legitimate software updates.
What makes the current campaign distinct and more alarming is its scale, sophistication, and use of novel techniques to disable encryption, providing near-total visibility into targets’ online activity. The operational success is greatly enhanced by Russia’s established SORM infrastructure, which institutionalizes lawful intercept capabilities and allows intelligence services to control ISPs directly.
These activities occur amid an ongoing backdrop of Russian state-aligned cyber operations targeting foreign cybersecurity, government networks, and military support infrastructure worldwide, including sustained attacks against Ukraine and NATO countries.
Security Implications and Recommendations
Microsoft’s threat intelligence experts warn that Turla’s approach is particularly insidious because it:
- Does not rely on exploitable software vulnerabilities, making conventional patching ineffective.
- Is highly covert, masquerading as legitimate certificate updates.
- Exploits state control over internet infrastructure, posing greater challenges for detection and attribution.
- Offers near-real-time interception of sensitive diplomatic communications.
To mitigate these risks, experts recommend:
- Using Virtual Private Networks (VPNs) or satellite internet connections to bypass compromised ISPs and protect traffic from interception.
- Implementing strong multi-factor authentication to limit attackers’ ability to use stolen credentials.
- Remaining vigilant when prompted to install security updates, especially on foreign networks, and verifying update authenticity directly through trusted sources.
- Employing endpoint security solutions that can detect unauthorized root certificates or anomalous network behavior.
Sherrod DeGrippo also cautioned that foreign nationals traveling or working in countries with authoritarian controls over telecommunications infrastructures should be highly aware of these threats, as similar ISP-level compromises could be exploited globally wherever national intelligence agencies maintain close control over internet transit.
Concluding Observation
The revelation of Turla’s exploitation of Russian ISPs to plant spyware illustrates the Kremlin’s evolving cyberespionage strategy that exploits legal and infrastructure control to perform highly targeted digital intrusions. This technique further complicates global cyber defenses, especially for diplomatic and intelligence communities operating within adversarial jurisdictions.
The hybrid nature of this espionage—merging conventional hacking with state-mandated network access—poses a formidable challenge to international cyber norms and the security of sensitive communications. As this landscape develops, vigilance and adaptation will remain essential to safeguarding critical diplomatic and government networks against increasingly sophisticated state-backed cyber threats.
Andy Greenberg’s article was originally published in wired on Jul 31, 2025