• Posted by: Michael Johnson
• October 07, 2024

Microsoft and DoJ Seize 107 Domains Used by Russian State-Sponsored Hackers

On Thursday, Microsoft and the U.S. Department of Justice (DoJ) announced the seizure of 107 internet domains linked to Russian state-sponsored cybercriminals. These domains were used to conduct computer fraud and abuse, mainly targeting U.S. government and civil society entities.

Deputy Attorney General Lisa Monaco commented, "The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials."

The cyberattacks have been attributed to the notorious group COLDRIVER, also known by various names such as Blue Callisto, BlueCharlie, Star Blizzard, TA446, and UNC4057. This group, operational since 2012, is believed to be part of the Russian Federal Security Service (FSB), specifically linked to Center 18.

In December 2023, the U.K. and U.S. governments sanctioned two key members of COLDRIVER—Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets—for their roles in spear-phishing campaigns and credential theft. In June 2024, the European Council followed suit, imposing similar sanctions on the duo.

The DoJ revealed that the 41 newly seized domains were used to conduct unauthorized access to U.S. government computers, extracting sensitive information and causing damage to protected systems. These domains were central to a spear-phishing campaign aimed at stealing credentials from government officials and other high-profile targets.

Microsoft, simultaneously, filed a civil action that led to the seizure of 66 additional domains used by COLDRIVER. Between January 2023 and August 2024, these domains targeted over 30 civil society organizations, including NGOs and think tanks supporting U.S. and NATO officials, with a particular focus on Ukraine.

The persistent efforts of COLDRIVER were highlighted by Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit (DCU). He stated, "Star Blizzard's operations are relentless, exploiting the trust, privacy, and familiarity of everyday digital interactions." The group has aggressively targeted former intelligence officials, Russian experts, and Russian citizens residing in the U.S.

Microsoft identified 82 customers targeted by COLDRIVER since January 2023, with the group evolving its phishing techniques to achieve its objectives. "This frequency underscores the group's diligence in identifying high-value targets, crafting personalized phishing emails, and developing the necessary infrastructure for credential theft," Masada added.

COLDRIVER's victims often fall prey to their carefully crafted phishing schemes, unknowingly compromising their credentials and sensitive information.