In the most recent US crackdown with Microsoft a total of 107 Russian domains have been seized. Reports claim that these domains were mainly used by state sponsored threat actors for malicious purposes. In this article, we’ll dive into the details of the US crackdown, the threat actor behind the malicious initiatives, and more. Let’s begin!
US Crackdown Unveils Russian Threat Actor
As per the details of the US crackdown, it has been determined that the threat behind the use of the seized domains is COLDRIVIER. The threat actor has been active since 2012 and is an operational unit with Center 18 of the Russian Federal Security Service (FSB). The threat actor goes by multiple names that include:
- TA446.
- Calisto.
- UNC4057.
- Iron Frontier.
- Blue Callisto.
- Star Blizzard.
- Gossamer Bear.
- Dancing Salome.
- BlueCharlie (or TAG-53).
It’s worth mentioning here that two members of the group, named Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, were sanctioned by the governments of the US and UK last year in December. In addition, sanctions were imposed against the same two individuals in June 2024 by the European Council.
COLDRIVER leverages advanced tactics for carrying out cyberattacks to harvest credentials, which can then be used to gain unauthorized access and data theft. Commenting on the involvement of the Russian government, Deputy Attorney General Lisa Monaco has stated that:
“The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials.”
Deep Dive Into The Seized Domains
As a result of a recent US crackdown against online criminals, a total of 107 Russian domains have been seized. Out of these seized domains, 41 were primarily used for three key purposes that include:
- Causing damage to the protected devices.
- Gaining unauthorized access for data theft from protected devices.
- Gaining unauthorized access for acquiring data from a US department or agency.
Reports claim that these domains were an integral part of spear-phishing campaigns. The primary targeting of these campaigns were email accounts that belonged to the US government and other victims. Apart from the US crackdown, Microsoft also filed a civil action for seizing 66 additional domains believed to be used by COLDRIVER.
These domains are said to have been used for singling out 30 civil society entities and organizations from January 2023 to August 2024. Some of the entities and organizations that were targeted include:
- NGOs.
- Think tanks supporting government employees.
- Military and intelligence officials provided support to Ukraine.
In light of the US crackdown, cybersecurity professional Steven Masada, from Microsoft’s Digital Crimes Unit (DCU) has stated that:
“Star Blizzard’s operations are relentless, exploiting the trust, privacy, and familiarity of everyday digital interactions. They have been particularly aggressive in targeting former intelligence officials, Russian affairs experts, and Russian citizens residing in the U.S.”
As part of the US crackdown, tech giant Microsoft had mentioned that the threat actor group has been evolving with new attack tactics to achieve their objectives.
Conclusion
The U.S. and Microsoft’s crackdown on COLDRIVER exposes the relentless nature of Russian state-sponsored cyberattacks. By seizing 107 domains, they’ve struck a major blow against malicious spear-phishing campaigns aimed at high-value targets to safeguard sensitive information. In light of such attacks, using advanced cybersecurity measures is not essential to ensure protection.
The sources for this piece include The Hacker News and SiliconAngle.
The post US Crackdown With Microsoft: Over 100 Russian Domains Seized appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/us-crackdown-with-microsoft-over-100-russian-domains-seized/