The US Department of Justice and Microsoft have seized over 100 domains that Russian hackers use for cyber espionage against the West and its allies.
The Star Blizzard hacking group, also tracked as ColdRiver, Callisto Group, BlueCharlie, TA446, UNC4057, Dancing Salome, Gossamer Bear, and Seaborgium, is linked to Russia’s Federal Security Service (FSB).
The group primarily uses phishing attacks to compromise its victims, who include government officials, journalists, NGOs, think tanks, and political dissidents. Microsoft said the takedown occurred at a critical moment, just as the US presidential elections were approaching.
Star Blizzard’s prolonged cyber espionage campaign
Since 2017, the group has attacked various targets including the United States Intelligence Community, the Department of Defense, the Department of State, the Department of Energy, and some defense contractors.
However, attacks against the U.S. defense industrial base and energy facilities have escalated since Russia invaded Ukraine in 2022.
Between January 2023 and August 2024, Microsoft says the Russian hackers also tried to undermine Western democracy by attacking 30 civil society organizations, journalists, think tanks, and non-governmental organizations.
The group primarily uses phishing attacks to compromise targets by tricking victims into disclosing their account credentials.
According to Steven Masada, Microsoft’s Assistant General Counsel at the company’s Digital Crimes Unit, Star Blizzard achieves this objective by “deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities.”
United States Deputy Attorney General Lisa Monaco also noted that the Russian hackers use “seemingly legitimate email accounts to trick victims into revealing account credentials.”
University of Toronto’s Citizen Lab also warned of a two-year cyber espionage campaign targeting account credentials and two-factor authentication codes from US and European targets.
The takedown occurred at a pivotal moment in history as the United States anticipates potential interference in the upcoming presidential elections. Star Blizzard has always played a crucial role in Russia’s cyber espionage activities, including meddling in elections.
“…today’s action impacts their operations at a critical point in time when foreign interference in US democratic processes is of utmost concern,” Masada said.
“Russia has ratcheted up the cyber insurgency in American cyberspace,” said Tom Kellermann, SVP of Cyber Strategy at Contrast Security. “Russia is cognizant that the soft underbelly of the U.S. is our dependence on technology. The GRU and a few cybercrime cartels are collaborating in widespread campaigns of infiltration.”
The DOJ and Microsoft dismantle Russian hackers’ cyber espionage infrastructure
Microsoft seized 66 domains operated by the ColdRiver cybercrime group, while the DOJ confiscated 41 web addresses belonging to the Russian hackers.
Private sector partners also played a crucial role in taking down Russian hackers’ cyber espionage infrastructure, emphasizing the importance of collaboration in fighting cybercrime.
“Today’s action is an example of the impact we can have against cybercrime when we work together,” Microsoft said. “By collaborating with DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard.”
US AG Monaco reiterated the department’s readiness to use “all tools to disrupt and deter malicious, state-sponsored cyber actors.”
The recent Star Blizzard takedown is hardly the first time that the DOJ and Microsoft have dealt the Russian cyber espionage campaign a debilitating blow.
In December 2023, the DOJ indicted and slapped sanctions on two alleged ColdRiver-linked Russian hackers, Ruslan Peretyatko and Andrey Korinets, for their alleged role in the global cyber espionage campaign.
In 2022, Microsoft also dealt the Star Blizzard cyber espionage campaign a devastating blow by seizing Microsoft accounts used for email harvesting.
Nevertheless, the takedown is hardly the silver bullet that solves Russia’s cyber espionage problem, as Microsoft said it expects “Star Blizzard to always be establishing new infrastructure.”
Meanwhile, the DOJ is offering up to $10 million for any information leading to the identification or arrest of Star Blizzard members.