100+ domains seized to stymie Russian Star Blizzard hackers
Microsoft and the US Justice Department have seized over 100 domains used by Star Blizzard, a Russian nation-state threat actor.
“Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations – journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive – by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities,” Steven Masada, Assistant General Counsel at Microsoft’s Digital Crimes Unit, explained.
“While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern.”
About Star Blizzard
Star Blizzard, aka COLDRIVER and Callisto Group, is a threat group that has been active since at least 2017, and is attributed to the Russian Federal Security Service (FSB).
Aside from targeting NGOs and Western governments’ employees and military intelligence officials, they are also known for focusing on compromising accounts of Russian affairs experts and Russian citizens residing in the U.S., as well as for their 2023 attempt to interfere in UK politics by targeting of elected officials, think tanks, journalists and the public sector.
Example of Star Blizzard phishing email (Source: Microsoft)
“[Star Blizzard] meticulously study their targets and pose as trusted contacts to achieve their goals. Since January 2023, Microsoft has identified 82 customers targeted by this group, at a rate of approximately one attack per week,” Masada added.
According to Microsoft threat analysts, the group uses multiple registrars to register domains, various link-shortening services and legitimate websites with open redirects to “hide” their malicious domains, and they base their spear-phishing emails on legitimate email templates. But once their active infrastructure is exposed, they waste not time and switch to using new domains.
Disrupting Star Blizzard operations
Microsoft, along with the NGO Information Sharing and Analysis Center, were granted permission to seize 66 internet domains used by Star Blizzard, while the US Justice Department simultaneously seized 41.
Microsoft is not under the illusion that seizing the domain will stop Star Blizzard, but this successful legal action will allow them to quickly disrupt any new infrastructure through an existing court proceeding.
“Furthermore, through this civil action and discovery, Microsoft’s DCU and Microsoft Threat Intelligence will gather additional valuable intelligence about this actor and the scope of its activities, which we can use to improve the security of our products, share with cross-sector partners to aid them in their own investigations and identify and assist victims with remediation efforts,” Masada explained.
Previously, the US DOJ filed an indictment against two suspected Star Blizzard members/associates for their alleged roles in a campaign to hack into computer networks in the US, the UK, and NATO members.