The Justice Department revealed the unsealing of a warrant to seize 41 domains used by Russia-linked Callisto Group<\/a> (formerly SEABORGIUM<\/a>, also known as COLDRIVER<\/a>) for computer fraud in the United States.<\/p>\n\n\n\n
“Microsoft\u2019s Digital Crimes Unit (DCU) is disrupting the technical infrastructure used by a persistent Russian nation-state actor Microsoft Threat Intelligence tracks as\u00a0Star Blizzard<\/a>. Today, the United States District Court for the District of Columbia unsealed a civil action brought by Microsoft\u2019s DCU, including its order authorizing Microsoft to seize 66 unique domains used by Star Blizzard in cyberattacks targeting Microsoft customers globally, including throughout the United States.” reads the post<\/strong><\/a> published by Microsoft. “Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations \u2013 journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive \u2013 by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities.\u00a0\u00a0“<\/em><\/p>\n\n\n\n
A partially unsealed affidavit<\/a> reveals that the APT group targeted a wide range of U.S. entities, including companies and current or former employees of the U.S. Intelligence Community, Department of Defense, Department of State, Department of Energy, and military defense contractors.<\/p>\n\n\n\n
\u201cToday\u2019s seizure of 41 internet domains reflects the Justice Department\u2019s cyber strategy in action \u2013 using all tools to disrupt and deter malicious, state-sponsored cyber actors,\u201d said Deputy Attorney General Lisa Monaco<\/a>. \u201cThe Russian government ran this scheme to steal Americans\u2019 sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials. With the continued support of our private sector partners, we will be relentless in exposing Russian actors and cybercriminals and depriving them of the tools of their illicit trade.\u201d<\/em><\/p>\n\n\n\n
In December 2023, the UK National Cyber Security Centre (NCSC) and Microsoft reported<\/strong><\/a> that the Russia-linked APT group\u00a0Callisto Group<\/a>\u00a0was targeting organizations worldwide. The nation-state actor is carrying out spear-phishing attacks for cyberespionage purposes.<\/p>\n\n\n\n
The Callisto APT group (aka \u201cSeaborgium<\/a>\u201c, \u201cStar Blizzard\u201d,\u00a0\u201cColdRiver\u201d<\/a>, \u201cTA446\u201d) targeted government officials, military personnel,\u00a0journalists and think tanks since at least 2015.
In December 2023,\u00a0the Reddit security team\u00a0attributed<\/a>\u00a0the leak of US-UK trade documents through its platform to a coordinated information campaign linked to Russia.<\/p>\n\n\n\n
\u201cWe were recently made aware of a post on Reddit<\/a> that included leaked documents from the UK,\u201d the statement said. \u201cWe investigated this account and the accounts connected to it, and today we believe this was part of a campaign that has been reported as originating from Russia.\u201d<\/em><\/p>\n\n\n\n
\u201cEarlier this year Facebook discovered a Russian campaign<\/a> on its platform, which was further analyzed by the Atlantic Council and dubbed \u2018Secondary Infektion<\/a>,\u2019\u201d Reddit\u2019s announcement said. \u201cSuspect accounts on Reddit were recently reported to us, along with indicators from law enforcement, and we were able to confirm that they did indeed show a pattern of coordination.\u201d<\/em><\/p>\n\n\n\n
\u201cWhile some attacks resulted in documents being leaked, attempts to interfere with UK politics and democracy have not been successful.\u201d reads the press release<\/a>. \u201d The group has also selectively leaked and amplified the release of information in line with Russian confrontation goals, including to undermine trust in politics in the UK and likeminded states.\u201d<\/em><\/p>\n\n\n\n
The UK believes that the FSB coordinated at least the following activities:<\/p>\n\n\n\n
The National Crime Agency investigation identifies two members of Star Blizzard and the UK and US governments sanctioned them. The two individuals are:<\/p>\n\n\n\n
Back to nowadays, Microsoft admitted that disrupting the domains will not completely stop the group’s spear-phishing activities.<\/p>\n\n\n\n
\u201cWhile we expect Star Blizzard to always be establishing new infrastructure, today\u2019s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern,\u201d the company said.<\/p>\n\n\n\n
\u201cTogether, we have seized more than 100 websites. Rebuilding infrastructure takes time, absorbs resources, and costs money. By collaborating with DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard.”\u00a0concludes Microsoft. “While we expect Star Blizzard to always be establishing new infrastructure, today\u2019s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern. It will also enable us to quickly disrupt any new infrastructure we identify through an existing court proceeding. Furthermore, through this\u00a0civil action and discovery, Microsoft\u2019s DCU and Microsoft Threat Intelligence will gather additional valuable intelligence about this actor and the scope of its activities, which we can use to improve the security of our products, share with cross-sector partners to aid them in their own investigations and identify and assist victims with remediation efforts.\u202f\u201d <\/em><\/p>\n\n\n\n
Pierluigi\u00a0Paganini<\/strong><\/a>
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, Callisto Group)<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"