Network Security, Phishing, Threat Intelligence, Government Regulations

DOJ, Microsoft take down 107 Russian-backed Star Blizzard domains

Russian hack attack concept, on the computer keyboard. 3D rendering

The U.S. Department of Justice, in collaboration with Microsoft, took down 107 unique domains run by the Russian-backed Star Blizzard threat group, which used the websites to launch spear-phishing attacks on Microsoft customers, multiple federal agencies, and defense contractors.

Microsoft filed a civil action to seize 66 Star Blizzard domains, while the U.S. Justice Department seized 41 domains used by the threat group . Like most threat groups, Star Blizzard also goes by many other names, including ColdRiver and the Callisto Group.

In an Oct. 3 announcement, the Justice Department said according to the partially unsealed affidavit filed in support of the government’s seizure warrant, the seized domains were used by a "hacking group that was a criminal proxy" working for an operational unit within Center 18 of the Russian Federal Security Service (FSB). Star Blizzard targeted the following entities: U.S.-based companies, former employees of the U.S. intelligence community, former and current Department of Defense and State Department employees, U.S. military defense contractors, and staff at the Energy Department. 

“Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action – using all tools to disrupt and deter malicious, state-sponsored cyber actors,” said Deputy Attorney General Lisa Monaco. “The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials. With the continued support of our private sector partners, we will be relentless in exposing Russian actors and cybercriminals and depriving them of the tools of their illicit trade.”

Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit (DCU), said while they expect Star Blizzard to continue to establish new infrastructure, the actions announced. Oct. 3 impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern.

“It will also enable us to quickly disrupt any new infrastructure we identify through an existing court proceeding,” said Masada. “Furthermore, through this civil action and discovery, Microsoft’s DCU and Microsoft Threat Intelligence will gather additional valuable intelligence about this actor and the scope of its activities, which we can use to improve the security of our products, share with cross-sector partners to aid them in their own investigations, and identify and assist victims with remediation efforts. ”

Casey Ellis, founder and chief strategy officer at Bugcrowd, said the takedown served a few purposes: disrupting their existing operations, infrastructure, and operatives. Ellis said it also puts Star Blizzard “on notice” that their activities are being detected and that they aren’t operating with impunity, which has the benefit of sowing internal doubt and confusion within the operation, which will at least chill their activities for a while.

“Importantly, the announcement and the amount of signaling the U.S. government is doing around this takedown is definitely intended to send a message, both to foreign adversaries as well as those being protected here: Russia is a real adversary, with real cyber-operations underway,” said Ellis.

Stephen Kowski, Field CTO at SlashNext Email Security, added that while the takedown is a significant blow to Star Blizzards's operations, it's important to remember that sophisticated threat actors are highly adaptable. Kowski said they may regroup and establish new infrastructure, but this action certainly disrupts their current campaigns and forces them to expend resources rebuilding.

“The effectiveness of such takedowns depends on the speed at which defenders can identify and neutralize new threats,” said Kowski. “Advanced AI-powered tools that can detect and block malicious URLs in real-time, even before they're widely known, are crucial in maintaining a robust defense against evolving phishing tactics. While this action may not make us completely safe, it does buy valuable time for organizations to strengthen their defenses and educate employees about emerging threats.”

Guy Rosenthal, vice president of product at DoControl, agreed that these state-sponsored actors are persistent and well-resourced, and are likely to regroup and adapt their tactics. Rosenthal said what was more concerning was that the group might view this as a challenge, potentially leading to increased efforts to compromise Microsoft's own systems or services in retaliation.

“We've seen this pattern before. For instance, after Microsoft took action against the NICKEL group in 2021, there was a noticeable uptick in attempts by that group to breach Microsoft and its customers' systems,” said Rosenthal. “It's a reminder that these actions, while necessary, can sometimes provoke an aggressive response.”

Austin Berglas, global head of professional services at BlueVoyant and former head of cyber, FBI NY, added that although the recent success of Microsoft and the Department of Justice may temporarily delay or even halt these cyber operations attributed to the Russian FSB, it’s not enough to permanently shut down their capability.

Berglas said there’s no doubt that these operations create havoc and disruption, forcing the FSB to spin up new infrastructure and regain access where they may have lost it because of the the takedown activity. However, dismantling attack infrastructure is different from complete, operational dismantlement.

“Complete dismantlement is extremely difficult, especially when the adversary is a nation-state funded law enforcement and intelligence organization,” said Berglas. “In addition to identifying and seizing infrastructure, dismantlement can only be achieved with the removal of financial and communication channels as well as the identification and arrest of the responsible individuals. At best, ‘name and shame’ indictments combined with the seizure of infrastructure may serve as a deterrent, but for state-sponsored actors, this will mean relatively nothing without a whole, combined international government approach to addressing this ongoing issue." 

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds