In early 2025, Russian state-backed threat group Secret Blizzard targeted foreign embassies with a man-in-the-middle (MITM) attack that bypassed MFA.
Instead of sending phishing emails or dropping malware, they compromised the root of trust on embassy systems — the mechanism that determines which connections and certificates are trusted.
By controlling local internet infrastructure inside Russia, Secret Blizzard:
- Used that certificate to impersonate legitimate websites without triggering browser warnings.
- Intercepted “secure” traffic to harvest session tokens, cookies, and credentials — without detection.
High-signal takeaway: A root-of-trust compromise undermines all Transport Layer Security (TLS)-based protections, including FIDO-based MFA.
Why Traditional MFA and FIDO Fail Against This Attack
Seemingly secure MFA assumes secure TLS connections. When TLS is compromised via a rogue root certificate, the browser happily connects to an attacker-controlled endpoint.
This breaks the core assumption of MFA, FIDO2, and PKI in general:
- FIDO verifies the site you’re logging into only through the browser’s certificate validation process.
- If that process is hijacked, the attacker can create a perfect fake session and capture authentication flows.
Bottom line: MFA can’t protect you if the local device’s trust anchor is compromised.
How To Stop Root-of-Trust Attacks
Use Device-Bound, Hardware-Backed Credentials
Authentication keys should be protected by the device’s secure hardware (TPM, Secure Enclave). This way, they are never exportable, never stored in system memory, and cannot be cloned.
Retain Independent Root of Trust
Credentials should be co-signed by both the device and the authenticator's cloud service. As a result, modifications to the local trust store cannot compromise the integrity of the credential.
Enforce Mutual Cryptographic Verification
Both the device and the authenticator should verify each other’s authenticity independently of TLS, ensuring intercepted traffic cannot be replayed or impersonated.
Apply Continuous Authentication & Device Checks
Authentication is not a one-time event. Continuously evaluate device posture and connection integrity. If a rogue certificate is detected mid-session, access is blocked or revoked immediately.
What True Zero Trust Looks Like
Secret Blizzard’s operation proves that TLS alone is not a security boundary. A zero trust IAM platform must:
- Verify device integrity continuously.
- Authenticate both ends of the connection independently of TLS.
- Eliminate phishable credentials entirely.
Embedding trust directly into the credential makes root-of-trust attacks fail — even against state-sponsored adversaries.
This is exactly the kind of threat Beyond Identity was engineered to neutralize, making root-of-trust attacks and identity compromise as a whole, impossible.
Beyond Identity’s Dynamic Identity Defense platform is deployed in leading enterprises in finance, energy, and technology to secure users, devices, and AI agents at scale, transforming identity from the largest attack surface into the first line of defense.
Watch a 12-minute demo of the platform or schedule a personalized demo for your environment to see it in action.
About the Author: Jasson Casey is the Chief Executive Officer and Co-Founder of Beyond Identity, where he’s built an enterprise identity defense platform to make identity-based attacks impossible. With over 20 years of experience delivering security and networking products to global enterprises and carriers, he previously served as CTO at Security Scorecard and VP of Engineering at IronNet CyberSecurity.
Jasson Casey — CEO and Co-Founder of Beyond Identity https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnn7MYe6inU9liqOC964ShKz3AhiKsPl5QaG54FmQWAhNeGeucp-r5ny0PQWVawWKLJXruoPWvV5fOv-XeTilWDurQcLgsDlHHrsd5hRNbcV5hC222GNWDbbP6byIQ8lq13FCz1euSJgW-yW5yM9-A9plgW7Mwy3FHWl7dJqhDxJrSXlKSINGAFxz1F4Y/s1600/Jasson.png
