United States and Microsoft Seize 107 Russian Domains in Extensive Cyber Fraud Clampdown
Microsoft and the United States Department of Justice (DoJ) jointly declared the confiscation of 107 web domains employed by government-sponsored threat actors connected to Russia in order to promote computer deception and misuse in the nation.
“This fraudulent operation was orchestrated by the Russian administration to pilfer sensitive details from Americans, utilizing seemingly legitimate email accounts to deceive victims into revealing account credentials,” stated Lisa Monaco, Deputy Attorney General.
The fraudulent activities have been linked to a threat actor known as COLDRIVER, which is alternatively identified as Blue Callisto, BlueCharlie (or TAG-53), Calisto (also spelled Callisto alternately), Dancing Salome, Gossamer Bear, Iron Frontier, Star Blizzard (previously known as SEABORGIUM), TA446, and UNC4057.
In operation since at least 2012, the group is thought to be an active section within Center 18 of the Russian Federal Security Service (FSB).
In December 2023, governments of the United Kingdom and United States imposed penalties on two individuals of the group – Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets – for their malevolent credential collection operations and spear-phishing offensives. Following this, in June 2024, the European Council enforced sanctions on the same duo of individuals.
The DoJ mentioned that the recently confiscated 41 domains were utilized by the threat actors to “conduct illicit access to a computer to procure information from a department or agency of the United States, unauthorized access to a computer to gather data from a protected computer, and causing harm to a protected computer.”
These domains are alleged to have been involved in a spear-phishing campaign directed at the email accounts of the U.S. government and other targets in an effort to obtain credentials and valuable information.
Simultaneously, Microsoft revealed that it has lodged a corresponding legal action to seize 66 additional internet domains utilized by COLDRIVER to specifically target more than 30 civil society entities and organizations between January 2023 and August 2024.
This included non-governmental organizations and research institutes that aid government personnel and defense and intelligence officials, particularly those supporting Ukraine, as well as NATO countries like the United Kingdom and the United States. The targeting of NGOs by COLDRIVER was previously highlighted by Access Now and the Citizen Lab in August 2024.
“Star Blizzard’s operations are persistent, exploiting the trust, privacy, and familiarity of everyday digital interactions,” remarked Steven Masada, assistant legal counsel at Microsoft’s Digital Crimes Unit (DCU), conveyed. “They have shown particularly aggressive behavior targeting prior intelligence officials, Russian experts, and Russian nationals living in the U.S.”
The tech giant identified 82 customers who have been targeted by the antagonist since January 2023, illustrating the persistence of the group in adapting with new strategies to accomplish their strategic objectives.
“This frequency emphasizes their meticulousness in identifying valuable targets, framing personalized phishing emails, and constructing the required infrastructure for credential theft,” Masada elaborated. “Their victims, often oblivious to the malice, unknowingly engage with these messages, leading to the compromise of their credentials.”
About Author
