Kremlin uses local providers to install spyware
Cyber espionage group Turla appears to be forcing diplomats to infect their computers with spyware.
Published on August 2, 2025

As editor-in-chief, Aafke oversees all content and events but loves writing herself. She makes complex topics accessible and tells the stories behind technology.
The FSB cyber espionage group Turla appears to be using its control over Russia's network infrastructure to manipulate internet traffic. This allows them to infect diplomats' computers with spyware. Microsoft researchers have discovered that Turla is abusing access to Russian ISPs to target individuals in Moscow, disable their encryption, and make their communications vulnerable to surveillance. This blurs the line between passive surveillance and actual intrusion, warns Microsoft.
FSB's cyber espionage tactics
The Russian hacker group Turla, also known as Snake, Venomous Bear, or Secret Blizzard, is known for its innovative hacking methods. In the past, the group hid malware communications via satellite connections and hijacked the operations of other hackers. According to the US government, the hacking group has been active for nearly 20 years against governments, journalists, and other targets.
Now it appears that Turla, believed to be part of the Russian Federal Security Service (FSB) in the Kremlin, is using its state-approved access to Russian internet service providers (ISPs) to plant spyware on the computers of targets in Moscow. This action disables encryption and makes their communications vulnerable to surveillance.
According to Microsoft's Threat Intelligence team, this is the first time it has been confirmed that Turla has this capability at the ISP level.
The team describes the campaign as “a high risk to foreign embassies, diplomatic institutions, and other sensitive organizations operating in Moscow, especially those using local internet service providers.”
Stealing data through backdoors
The analysis reveals for the first time that the Russian secret service FSB is conducting cyber espionage at the level of internet providers. “This means that diplomatic personnel using local internet or telecom services in Russia are very likely to be targeted by the campaign,” Microsoft said.
In February, Microsoft tracked an FSB operation that targeted foreign embassies in Moscow. It involved installing modified malware (“backdoors”) that could steal data and install additional software.
The findings come as the US is pressuring Moscow to accept a ceasefire in Ukraine, and NATO countries are increasing their defense spending out of concern about Russia. Moscow did not immediately respond to the report; Russia has previously denied carrying out cyberattacks.
The hacking group involved, referred to by Microsoft as “Secret Blizzard” and also known as “Turla”, has been active against governments, journalists, and other targets for nearly 20 years, according to the US government.