Microsoft and the US Department of Justice made headlines this week as they collaborated to dismantle over 100 domains associated with the Russian-sponsored hacker group, Star Blizzard. This advanced persistent threat (APT), which has been active since 2017, has focused its attacks on journalists, non-governmental organizations (NGOs), and experts on Russia, particularly those who support Ukraine.
The coordinated operation successfully dismantled the group’s server infrastructure in the West, leading to a disruption in the cyberattackers’ ability to regroup and continue their operations. Deputy Attorney General Lisa Monaco expressed the government’s cyber strategy in action through the seizure of 41 internet domains, aimed at disrupting and deterring malicious state-sponsored cyber actors.
Star Blizzard, also known as “Cold River” and “Callisto,” primarily utilizes phishing emails to steal login credentials from its targets. Recently, the group developed its first custom backdoor, showcasing their evolving tactics in cyber espionage. Furthermore, a partially unsealed indictment by the DoJ revealed that two FSB officers, Ruslan Peretyatko and Andrey Korinets, were charged last December for their involvement in Star Blizzard’s espionage campaigns, which extended to the UK, NATO countries, and Ukraine. In the US, the group targeted military contractors, intelligence personnel, and government agencies, among others.
Despite the Kremlin-sponsored APT’s sophisticated evasion techniques, Microsoft has been vigilant in monitoring Star Blizzard’s activities and has previously disrupted their operations in 2022 and again last year. Microsoft highlighted the impact of such takedown actions in their efforts to combat cybercrime.
The timing of this disruption is crucial, especially with US officials on high alert for foreign interference ahead of the upcoming presidential election. Given Star Blizzard’s ties to advancing Russian interests, including election disruption, Microsoft stressed that the takedown directly contributes to safeguarding the US democratic process from external threats. Microsoft observed Star Blizzard targeting over 30 civil society organizations between January 2023 and August 2024, emphasizing the group’s persistent efforts to interfere in democratic processes.
Looking ahead, cybersecurity experts warn that the Russian threat is likely to persist despite the recent takedown. Sean McNee, head of threat research at DomainTools, anticipates an increase in nation-state-backed groups using domains for cyber espionage and disinformation campaigns around the US election. While the joint action by DoJ and Microsoft is a significant step in protecting the internet, experts believe it may only scratch the surface of the broader threat landscape posed by groups like the FSB.
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, raises concerns about Russia’s escalating cyber insurgency in American cyberspace. He warns of potential collaboration between the GRU and cybercrime cartels in infiltration campaigns, posing a serious threat to US security. Kellermann emphasizes the need for enhanced threat hunting and runtime security measures to counter the evolving Russian campaign.
In conclusion, the collaboration between Microsoft and the US Department of Justice in dismantling the Star Blizzard cyber threat highlights the ongoing challenges posed by sophisticated state-sponsored cyber actors. While the recent takedown is a significant achievement, cybersecurity experts stress the need for continuous vigilance and coordinated efforts to defend against evolving cyber threats in the future. The private sector must remain attentive to the ever-present dangers of cyber espionage and take proactive steps to safeguard critical infrastructure and democratic processes from malicious actors.