Microsoft and the US Department of Justice (DoJ) announced Thursday the seizure of 107 Internet domains used by state-sponsored threat actors with ties to Russia to facilitate fraud and abuse in the country.
“The Russian government launched this scheme to steal sensitive information from Americans by using seemingly legitimate email accounts to trick victims into revealing credentials.” said Deputy Attorney General Lisa Monaco.
The activity was attributed to the actor’s threat under the title COLDRIVERwhich is also known as Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Dancing Salome, Gossamer Bear, Iron Frontier, Star Blizzard (formerly SEABORGIUM), TA446 and UNC4057.
Active since at least 2012, the group is considered an operational unit of Center 18 of Russia’s Federal Security Service (FSB).
In December 2023, the UK and US governments sanctioned two members of the group – Aleksandrovich Peratyatko and Andrey Stanislavovich Korynts – for malicious collection of credentials and phishing campaigns. Afterwards, in June 2024, the European Council imposed sanctions against the same persons.
The Justice Department said the 41 recently seized domains were used by threat actors to “commit violations involving unauthorized access to a computer to obtain information from a United States department or agency, unauthorized access to a computer to obtain information from a protected computer, and damage protected computer”.
The domains are believed to have been used as part of a phishing campaign targeting US government email accounts and other victims to collect credentials and valuable data.
In parallel with the announcement, Microsoft announced this filed a corresponding civil suit seize 66 additional internet domains used by COLDRIVER to target more than 30 civil society actors and organizations between January 2023 and August 2024.
This included NGOs and think tanks supporting civil servants, military and intelligence officials, particularly those providing support to Ukraine and NATO countries such as the UK and the US. previously documented Access Now and Citizen Lab in August 2024.
“Star Blizzard’s operations are relentless, leveraging the trust, privacy and familiarity of everyday digital interactions,” said Steven Masada, Assistant General Counsel of Microsoft’s Digital Crimes Unit (DCU). said. “They have been particularly aggressive in their attacks on former intelligence officers, experts on Russian affairs, and Russian citizens living in the United States.”
The tech giant said it had identified 82 customers targeted by an adversary since January 2023, demonstrating the group’s stubbornness to evolve with new tactics and achieve its strategic goals.
“This frequency underscores the group’s diligence in identifying high-value targets, crafting personalized phishing emails and developing the necessary infrastructure to steal credentials,” Masada said. “Their victims, often unsuspecting of malicious intent, unknowingly interact with these messages, resulting in their credentials being compromised.”
