1 August 2025, Geneva

Situation Overview

Secret Blizzard is an advanced Russian cyber-espionage group linked to FSB Center 16, operating under aliases such as Turla, Venomous Bear, and Waterbug. It has executed persistent cyber campaigns targeting foreign embassies, ministries, defense contractors, and NGOs. The group leverages compromised ISP infrastructure (notably in Moscow) to carry out adversary-in-the-middle (AiTM) attacks, planting malware like ApolloShadow disguised as trusted software (e.g., Kaspersky).

Threat Actor: FSB-aligned APT (aka Turla, Venomous Bear)
Region of Operation: Global, with focus on NATO, Ukraine, and diplomatic/NGO targets

“What really stood out to me was the masquerading as Kaspersky antivirus. It’s not just about technical infiltration; it’s about exploiting trust. The irony is that Kaspersky is banned across the U.S. government and widely discouraged among NATO allies, yet Secret Blizzard weaponized its brand recognition to slip past defenses.”

— Jake Warren (@jakewarrentx), Threat Intelligence Expert

TTPs

• Infrastructure Hijacking: Uses other APTs’ infrastructure (e.g., Storm‑0156) to deploy malware.

• AiTM Techniques: Leverages lawful intercept capabilities in compromised ISPs to spy on traffic.

• Malware Arsenal: Includes TwoDash, KazuarV2, ApolloShadow, and Statuezy.

• Stealth Delivery: Sideloads malware via legitimate Windows processes (e.g., msdtc.exe + oci.dll).

• Credential Theft & Surveillance: Harvests login data, clipboard contents, and communications.
  
  

Targets & Motives

Primary Targets:

• Foreign embassies and diplomatic missions (especially in Russia and adjacent regions)

• Ministries of defense and foreign affairs

• NGOs in democracy, human rights, and corruption spaces

• National infrastructure and CERTs

• Research and policy institutions

Strategic Objectives:

• Long-term espionage

• Foreign policy disruption

• NGO delegitimization

• Influence campaign facilitation

Timeline

• 2019–2022:  Persistent EU/NATO-targeted espionage

• 2022–2024:  Leveraged Storm‑0156 infrastructure for payload delivery

• Late 2024:  Used Moscow ISP access to target foreign embassies via ApolloShadow

• 2025 (ongoing):  Expanded AiTM, NGO targeting, and credential-harvesting operations

Cognitive Risks

1. Diplomatic Trust Erosion: Intercepted communications lead to paranoia and self-censorship in diplomatic circles.

2. Perception Manipulation: Leaked or modified stolen data can falsely implicate alliances or internal dissent.

3. NGO Delegitimization: Exfiltrated data is used to portray NGOs as corrupt, foreign-influenced, or biased.

4. Disinformation Enablement: Stolen materials fuel fabricated narratives and deepened public mistrust.

5. Psychological Burnout: Repeated compromises trigger fatigue, fear, and morale erosion among staff.

6. Security Tool Distrust: Malware disguised as legitimate software (e.g., Kaspersky) causes confusion and over-/underreaction.
   
   

ISRS Recommendations

General Recommendations

• Phishing-Resistant MFA, Zero Trust, IOC monitoring

• Avoid adversary-controlled ISPs

• Use threat intel feeds and cognitive hygiene training
  
  

For Embassies

• Segment sensitive systems; use secure field devices

• Monitor for MITM activity and use out-of-band comms

• Vet local staff and seed honeytokens for detection
  
  

For NGOs 

• Encrypt and isolate sensitive donor/whistleblower data

• Host abroad; use roaming VPN infrastructure

• Plan for comms shutdowns and defamation campaigns

Conclusion

Secret Blizzard continues to demonstrate a sophisticated and state-resourced approach to cyber espionage. Their use of adversary-in-the-middle techniques, infrastructure hijacking, and software deception highlights a shift toward blending signals intelligence with cyber operations. Diplomatic targets and NGOs working in contested spaces are at elevated risk due to proximity, political sensitivities, and limited defensive capacity.

Their infrastructure reuse strategy also blurs attribution lines, meaning defenders must treat any malware incident with a forensic lens, considering supply chain manipulation or false-flag overlap. The group’s emphasis on credential theft, long-term persistence, and deception makes resilience, not just prevention, the core security objective.