Oct 04, 2024Ravie LakshmananPhishing Attack / Cybercrime

Microsoft and the U.S. Department of Justice (DoJ) on Thursday announced the seizure of 107 internet domains used by state-sponsored threat actors with ties to Russia to facilitate computer fraud and abuse in the country.

“The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials,” said Deputy Attorney General Lisa Monaco.

The activity has been attributed to a threat actor called COLDRIVER, which is also known by the names Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Dancing Salome, Gossamer Bear, Iron Frontier, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057.

Active since at least 2012, the group is assessed to be an operational unit within Center 18 of the Russian Federal Security Service (FSB).

In December 2023, the U.K. and U.S. governments sanctioned two members of the group – Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets – for their malicious credential harvesting activities and spear-phishing campaigns. Subsequently, in June 2024, the European Council imposed sanctions against the same two individuals.

The DoJ said the newly seized 41 domains were used by the threat actors to “commit violations of unauthorized access to a computer to obtain information from a department or agency of the United States, unauthorized access to a computer to obtain information from a protected computer, and causing damage to a protected computer.”

The domains are alleged to have been used as part of a spear-phishing campaign targeting the email accounts of the U.S. government and other victims with the goal of gathering credentials and valuable data.

Parallel to the announcement, Microsoft said it filed a corresponding civil action to seize 66 additional internet domains used by COLDRIVER to single out over 30 civil society entities and organizations between January 2023 and August 2024.

This included NGOs and think tanks that support government employees and military and intelligence officials, particularly those providing support to Ukraine and in NATO countries such as the U.K. and the U.S. COLDRIVER’s targeting of NGOs was previously documented by Access Now and the Citizen Lab in August 2024.

“Star Blizzard’s operations are relentless, exploiting the trust, privacy, and familiarity of everyday digital interactions,” Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit (DCU), said. “They have been particularly aggressive in targeting former intelligence officials, Russian affairs experts, and Russian citizens residing in the U.S.”

The tech giant said it identified 82 customers who have been targeted by the adversary since January 2023, demonstrating a tenacity on the group’s part to evolve with new tactics and achieve their strategic goals.

“This frequency underscores the group’s diligence in identifying high-value targets, crafting personalized phishing emails, and developing the necessary infrastructure for credential theft,” Masada said. “Their victims, often unaware of the malicious intent, unknowingly engage with these messages leading to the compromise of their credentials.”