DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks
Winter is coming
The US Department of Justice and Microsoft have seized 107 websites used by Russian cyberspies in a phishing campaign to steal sensitive information from US government agencies, think tanks, and other victims.
Court orders targeted domains belonging to Russia's Callisto Group (aka Star Blizzard and Coldriver), a hacking unit of the Russian Federal Security Service (FSB) that has been attacking defense, intelligence, political orgs, and academia since at least 2017.
"The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials," US Deputy Attorney General Lisa Monaco said in a statement today announcing the FSB infrastructure disruption.
According to the DOJ’s warrant [PDF], the 41 seized domains “were used or intended to be used by members of the Callisto Group in an ongoing and sophisticated spear phishing campaign with the goal of gaining unauthorized access to the computers and email accounts of victims, to then steal valuable information and sensitive United States government intelligence.”
Targeted victims “thus far” included US-based companies, former intelligence community employees, former and current Department of Defense and Department of State employees, United States military defense contractors, and staff at the Department of Energy.
As recently as August, the University of Toronto's Citizen Lab warned of a massive, two-year espionage campaign during which Callisto hackers had been stealing user credentials and 2FA tokens from victims in the US and Europe.
Meanwhile, the Microsoft's court order authorized the take down of another 66 domains.
Between January 2023 and August 2024, Redmond spotted the Russians phishing 30 civil society entities and organizations, including journalists, think tanks, and NGOs, we're told.
"While we expect Star Blizzard to always be establishing new infrastructure, today's action impacts their operations at a critical point in time when foreign interference in US democratic processes is of utmost concern," Microsoft said in announcing the civil action. "It will also enable us to quickly disrupt any new infrastructure we identify through an existing court proceeding."
- Russian cyber snoops linked to massive credential-stealing campaign
- Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets
- Google TAG: Kremlin cyber spies move into malware with a custom backdoor
- Reckon Russian spies are lurking in your inbox? Check for these IOCs, Microsoft says
The Feds' website takedown also follows criminal charges levied against two alleged Callisto-affiliated individuals, FSB officer Ruslan Aleksandrovich Peretyatko and co-conspirator Andrey Stanislavovich Korinets, for their supposed roles in a scheme to break into computer networks in the US, the UK, other NATO countries, and Ukraine on behalf of the Russian government.
In December 2023, seven government agencies from Australia, Canada, New Zealand, the US, and the UK sounded the alarm about Callisto's phishing techniques, while UK Foreign Office minister Leo Docherty accused the FSB crew of hacking private conversations of high-profile UK politicians, then "selectively leak[ing] and amplify[ing] information" for political meddling. ®