On Thursday, Microsoft and the U.S. Department of Justice (DoJ) announced a significant operation resulting in the seizure of 107 internet domains linked to state-sponsored cybercriminals in Russia. These domains were reportedly used to facilitate computer fraud and abuse targeting American citizens.
Details of the Operation by Microsoft and U.S.
Deputy Attorney General Lisa Monaco stated, “The Russian government ran this scheme to steal Americans’ sensitive information by using seemingly legitimate email accounts to trick victims into revealing their account credentials.” The authorities have attributed the operation to a threat actor known as COLDRIVER, which operates under various aliases, including Blue Callisto, TAG-53, and Star Blizzard.
Active since at least 2012, COLDRIVER is believed to be an operational unit within Center 18 of the Russian Federal Security Service (FSB). In December 2023, the U.K. and U.S. governments sanctioned two members of the group, Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, for their involvement in credential harvesting and spear-phishing campaigns. The European Council followed suit in June 2024, imposing sanctions against the same individuals.
Nature of the Cyber Threat
The DoJ revealed that COLDRIVER used the newly seized 41 domains to commit various cybercrimes, including unauthorized access to computers to obtain sensitive information from U.S. government agencies. Additionally, these domains facilitated a spear-phishing campaign that specifically targeted the email accounts of government officials and other individuals in order to gather credentials and valuable data.
In a parallel move, Microsoft also filed a civil action to seize an additional 66 domains used by COLDRIVER, which specifically targeted over 30 civil society organizations and entities between January 2023 and August 2024. Notably, these included NGOs and think tanks that support government employees and military officials, particularly those aiding Ukraine and NATO allies such as the U.K. and the U.S.
Targeting High-Value Victims
Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit (DCU), emphasized the relentless nature of COLDRIVER’s operations. He stated, “Star Blizzard’s operations are relentless, exploiting the trust, privacy, and familiarity of everyday digital interactions.” Furthermore, the group has shown particular aggression in targeting former intelligence officials, Russian affairs experts, and Russian citizens residing in the U.S.
Since January 2023, Microsoft has identified 82 customers targeted by COLDRIVER, which highlights the group’s adaptability and strategic focus. Masada further explained, “This frequency underscores the group’s diligence in identifying high-value targets, crafting personalized phishing emails, and developing the necessary infrastructure for credential theft.” Consequently, many victims, often unaware of the malicious intent, inadvertently engage with these phishing messages, leading to compromised credentials.
Check out more articles related to cyber security