Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

2 months ago 17
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Microsoft and the US Justice Department on Thursday announced the disruption of the technical infrastructure used by a Russian government-backed APT caught hacking specific targets in academia, defense, governmental organizations, NGOs and think-tanks.

The coordinated action resulted in the seizure of more than 100 domains used for spear-phishing lures against targets in the US, UK, and Europe and expanded the government’s exposure of the FSB-linked ‘Star Blizzard’ hacking operation.

Star Blizzard, publicly outed as a meticulous and relentless hacking team, is blamed for using sophisticated spear-phishing email lures against against civil society organizations and US Department of Energy facilities.

“Since January 2023, Microsoft has identified 82 customers targeted by this group, at a rate of approximately one attack per week,” the software giant said.

Star Blizzard is also known as Callisto Group/Coldriver and is known to target military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus.  

In new documentation, Microsoft acknowledged the domain disruption won’t fully disrupt the group’s spear-phishing activities.  

“While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern,” the company said.

“Rebuilding infrastructure takes time, absorbs resources, and costs money. By collaborating with DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard,” Microsoft added.

Advertisement. Scroll to continue reading.

As part of the collaboration, Redmond’s threat intelligence team say they can “quickly disrupt any new infrastructure we identify through an existing court proceeding.”

“[We] will gather additional valuable intelligence about this actor and the scope of its activities, which we can use to improve the security of our products, share with cross-sector partners to aid them in their own investigations and identify and assist victims with remediation efforts,” the company said.

Last year,  Five Eyes linked Star Blizzard to the Russian Federal Security Service (FSB) and exposed the actor’s attempted interference in UK politics through the targeting of elected officials, think tanks, journalists and the public sector. 

“Star Blizzard is persistent. They meticulously study their targets and pose as trusted contacts to achieve their goals,” Microsoft warned, noting that the group is particular about identifying high-value targets, crafting personalized phishing emails, and developing the necessary infrastructure for credential theft. 

“Once their active infrastructure is exposed, they swiftly transition to new domains to continue their operations,” Microsoft noted, urging civil society groups to use strong multi-factor authentication like passkeys on both personal and professional accounts, and enroll in Microsoft’s AccountGuard program for an additional layer of monitoring and protection from nation-state cyberattacks. 

Related: CISA Warns About Russian ‘Star Blizzard’ APT Spear-Phishing Operation

Related: Western, Russian Civil Society Targeted in Sophisticated Phishing Attacks

Related: European Union Sanctions Six Russian Hackers

Related: NATO Draws a Cyber Red Line in Tensions With Russia

Read Entire Article