Microsoft stated that Turla—also known as Secret Blizzard—used access to Russian internet service providers to reroute embassy traffic and deliver malware payloads. These tools posed as legitimate cybersecurity software associated with the Russian firm Kaspersky. A spokesperson for Kaspersky denied involvement, emphasizing that trusted brand names are often exploited without consent and advised users to only download apps from verified sources.

Once deployed, the ApolloShadow malware decrypted encrypted internet traffic, allowing the hackers to access usernames, passwords, and browsing records. Microsoft did not name specific embassy targets but described the campaign as extensive and sophisticated.

Espionage Group Tied To Russian Intelligence

Turla has operated for more than 25 years and is widely considered one of the most persistent hacking units in the world. The U.S. Department of Justice previously linked the group to the Russian Federal Security Service (FSB), and dismantled a large part of its infrastructure in 2023. Analysts believe Turla benefits from Russia’s legal surveillance framework, especially systems like SORM, which enables FSB and police to intercept communications nationwide.

The hacking campaign occurs during heightened international scrutiny of Russia’s global cyber posture and its war in Ukraine. In parallel, President Vladimir Putin is tightening domestic digital controls, promoting a state-approved internet app ecosystem and threatening to ban encrypted messaging platforms like WhatsApp.