U.S. and Microsoft Seize 107 Russian Domains in Major Cyber Fraud Crackdown

Avatar
Microsoft and the U.S. Department of Justice (DoJ) on Thursday announced the seizure of 107 internet domains used by state-sponsored threat actors with ties to Russia to facilitate computer fraud and abuse in the country. “The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials

Microsoft and the U.S. Department of Justice (DoJ) on Thursday announced the seizure of 107 internet domains used by state-sponsored threat actors with ties to Russia to facilitate computer fraud and abuse in the country.

“The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials,” said Deputy Attorney General Lisa Monaco.

The activity has been attributed to a threat actor called COLDRIVER, which is also known by the names Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Dancing Salome, Gossamer Bear, Iron Frontier, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057.

Active since at least 2012, the group is assessed to be an operational unit within Center 18 of the Russian Federal Security Service (FSB).

In December 2023, the U.K. and U.S. governments sanctioned two members of the group – Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets – for their malicious credential harvesting activities and spear-phishing campaigns. Subsequently, in June 2024, the European Council imposed sanctions against the same two individuals.

The DoJ said the newly seized 41 domains were used by the threat actors to “commit violations of unauthorized access to a computer to obtain information from a department or agency of the United States, unauthorized access to a computer to obtain information from a protected computer, and causing damage to a protected computer.”

The domains are alleged to have been used as part of a spear-phishing campaign targeting the email accounts of the U.S. government and other victims with the goal of gathering credentials and valuable data.

Parallel to the announcement, Microsoft said it filed a corresponding civil action to seize 66 additional internet domains used by COLDRIVER to single out over 30 civil society entities and organizations between January 2023 and August 2024.

This included NGOs and think tanks that support government employees and military and intelligence officials, particularly those providing support to Ukraine and in NATO countries such as the U.K. and the U.S. COLDRIVER’s targeting of NGOs was previously documented by Access Now and the Citizen Lab in August 2024.

“Star Blizzard’s operations are relentless, exploiting the trust, privacy, and familiarity of everyday digital interactions,” Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit (DCU), said. “They have been particularly aggressive in targeting former intelligence officials, Russian affairs experts, and Russian citizens residing in the U.S.”

The tech giant said it identified 82 customers who have been targeted by the adversary since January 2023, demonstrating a tenacity on the group’s part to evolve with new tactics and achieve their strategic goals.

“This frequency underscores the group’s diligence in identifying high-value targets, crafting personalized phishing emails, and developing the necessary infrastructure for credential theft,” Masada said. “Their victims, often unaware of the malicious intent, unknowingly engage with these messages leading to the compromise of their credentials.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

How to Get Going with CTEM When You Don’t Know Where to Start

Next Post

Critical Infrastructure Cyberforge Summit

Related Posts

Critical Flaws in Ollama AI Framework Could Enable DoS, Model Theft, and Poisoning

Cybersecurity researchers have disclosed six security flaws in the Ollama artificial intelligence (AI) framework that could be exploited by a malicious actor to perform various actions, including denial-of-service, model poisoning, and model theft. "Collectively, the vulnerabilities could allow an attacker to carry out a wide-range of malicious actions with a single HTTP request, including
Avatar
Read More

Cloudflare Thwarts Largest-Ever 3.8 Tbps DDoS Attack Targeting Global Sectors

Cloudflare has disclosed that it mitigated a record-breaking distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds. The web infrastructure and security company said it fended off "over one hundred hyper-volumetric L3/4 DDoS attacks throughout the month, with many exceeding 2 billion packets per second (Bpps) and 3 terabits per second (
Avatar
Read More