In a recent development, Microsoft, in collaboration with the US Justice Department, has taken action against Star Blizzard, a Russian nation-state threat actor, by seizing over 100 domains utilized by the group. The move comes after Microsoft observed Star Blizzard targeting more than 30 civil society organizations, including journalists, think tanks, and non-governmental organizations, in an attempt to exfiltrate sensitive information and disrupt their operations through spear-phishing campaigns.
Steven Masada, Assistant General Counsel at Microsoft’s Digital Crimes Unit, emphasized the significance of this action, stating that it comes at a crucial time when foreign interference in the US democratic processes is a major concern. Masada highlighted Star Blizzard’s modus operandi, noting that the group meticulously studies their targets and poses as trusted contacts to achieve their malicious objectives.
Star Blizzard, also known as COLDRIVER and Callisto Group, has been active since at least 2017 and is linked to the Russian Federal Security Service (FSB). The group has a history of targeting NGOs, Western governments’ employees, military intelligence officials, Russian affairs experts, and Russian citizens in the US. In 2023, they attempted to interfere in UK politics by targeting elected officials, think tanks, journalists, and the public sector.
Microsoft’s threat analysts have identified 82 customers targeted by Star Blizzard since January 2023, indicating a persistent threat posed by the group. They employ multiple tactics to conceal their malicious activities, such as using various registrars to register domains, link-shortening services, and legitimate websites with open redirects. Despite these efforts, Microsoft continues to monitor and disrupt Star Blizzard’s operations to safeguard potential victims.
Through a coordinated effort with the NGO Information Sharing and Analysis Center, Microsoft seized 66 internet domains used by Star Blizzard, while the US Justice Department seized an additional 41 domains. While the seizure of domains may not completely halt Star Blizzard’s activities, it allows for quick disruption of new infrastructure through legal avenues. This legal action also provides valuable intelligence about the group, which can be utilized to enhance cybersecurity measures and assist other entities in investigating and mitigating potential threats.
In a related development, the US Justice Department previously filed an indictment against two suspected Star Blizzard members/associates for their alleged involvement in hacking campaigns targeting computer networks in the US, the UK, and NATO members. This further underscores the ongoing efforts to combat foreign cyber threats and protect critical infrastructure from malicious actors.
Overall, the actions taken by Microsoft and the US Justice Department against Star Blizzard demonstrate a proactive approach to addressing cybersecurity threats and safeguarding democratic institutions from potential interference. By disrupting the operations of threat actors like Star Blizzard, the goal is to bolster cybersecurity measures and enhance resilience against evolving cyber threats.