A joint effort by the Justice Department (DOJ) and Microsoft disrupted the operations of a Russia-backed threat group that was targeting government agencies and private organizations in the United States and elsewhere through a spear-phishing campaign that lasted more than a year.

The DOJ this week said it seized 41 internet domains used by the Callisto Group – an arm of Russia’s Russian Federal Security Service (FSB) – while Microsoft said it seized 66 internet domains used by the same group, which the enterprise IT giant identified as Star Blizzard.

According to both the DOJ and Microsoft, the threat group between January 2023 and August attacked more than 30 civil society organizations – including think tanks, journalists, and non-governmental organizations (NGOs) – with spear-phishing campaigns to steal sensitive information and interfere with their activities.

“While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern,” Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit (DCU), wrote in a blog post, noting that the vendor filed a lawsuit against Star Blizzard in federal court in Washington DC. “It will also enable us to quickly disrupt any new infrastructure we identify through an existing court proceeding.”

Masada added that through the information gleaned from the discovery process of the legal case, both the DCU and Microsoft Threat Intelligence “will gather additional valuable intelligence about this actor and the scope of its activities, which we can use to improve the security of our products, share with cross-sector partners to aid them in their own investigations and identify and assist victims with remediation efforts.”

A Public-Private Operation

DOJ officials said that their work with Microsoft was the result of the agency’s ongoing public-private efforts in combatting cyberthreats.

“Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action – using all tools to disrupt and deter malicious, state-sponsored cyber actors,” Deputy Attorney General Lisa Monaco said in a statement. “The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials.”

Sean McNee, head of threat research at cybersecurity vendor DomainTools, applauded the operation, adding that the “takedown is likely only scratching the surface when it comes to FSB or other groups who have purchased domains to seed malignant websites.”

“We have found that some domain hosting services sell domain registrations indiscriminately and are not always responsive when notified about malicious content or coordinated misinformation,” McNee said. “As we get closer to the U.S. presidential election, we anticipate a dramatic increase in nation-state-backed groups turning towards purchasing domains to seed misinformation and disinformation around this event.”

Both the U.S. government and cybersecurity firms have documented multiple efforts by bad actors backed by the governments of Russia, China, and Iran and others to interfere in the highly charged elections next month.

A History of Targeting Civil Society Groups

According to Microsoft’s Masada, Star Blizzard – also known as Coldriver – has been around since 2017 and two years ago improved their detection-evasion techniques while continuing to focus on email credential threats. Most recently, the group has targeted NGOs and think tanks that support military and intelligence officials – particularly those in countries like the United States and the UK and in other regions in Europe – that are supporting Ukraine and NATO – as well as government employees.

More recently the bad actors have ramped up their efforts against former intelligence officials, Russian affairs experts, and Russian citizens living in the United States.

Google’s Threat Analysis Group in January released a report about the group – under the Coldriver name – noting that it was extending its capabilities beyond credentials phishing to include malware.

In December 2023, the DOJ indicted two Russians – including one who is an FSB officer – for hacking into computer networks in the United States, the UK, and other NATO countries, as well as Ukraine.

A Persistent Threat

Masada noted Star Blizzard’s persistence, noting that group members “meticulously study their targets and pose as trusted contacts to achieve their goals.” Since January 2023, Microsoft has identified 82 of its customers targeted by Star Blizzard, which amounts to about one attack per week.

“This frequency underscores the group’s diligence in identifying high-value targets, crafting personalized phishing emails, and developing the necessary infrastructure for credential theft,” he wrote. “Their victims, often unaware of the malicious intent, unknowingly engage with these messages leading to the compromise of their credentials.”

The group also is highly adaptable, which will prove challenging even after the domain takedowns. Once their active infrastructure is exposed, they quickly move to new domains. Masada pointed to a report by The Citizen Lab at the University of Toronto and digital rights group Access Now about Star Blizzard published in August.

Since then, both organizations have investigated at least one additional case linked to Star Blizzard, showing that the group “remains active and is not deterred despite governments, companies, and civil society exposing their malicious activities,” he wrote.

Civil society groups should harden their cybersecurity protections and use strong multi-factor authentication (MFA) tools like passkeys on both professional and personal accounts, Masada said. He also added that “these efforts and commitments must be coupled with an application of international norms to limit cyberattacks associated with nation–states that purposely target the parts of society that enable democracy to thrive.”