The U.S. Department of Justice and Microsoft Corp. have seized 107 websites allegedly used by Russian intelligence agents and their proxies in the U.S. as part of a crackdown on computer fraud and abuse.
The Justice Department seized 41 domains named via warrant, while Microsoft managed to seize 66 domains through civil action. Collectively, the domains are claimed to have been used by a Russian nation-state actor Microsoft Threat Intelligence tracks as Star Blizzard, a group also known by the names of SEABORGIUM and Callisto Group.
According to Microsoft today, the domains were used by Star Blizzard to target over 30 civil society organizations, including journalists, think tanks and non-government organizations between January 2023 and August 2024. The domains were utilized as part of spear-phishing campaigns that attempted to exfiltrate sensitive information and interfere in the activities of the targeted victims.
Star Blizzard itself is believed to have been active since 2017, with the group upping its hacking game in 2022 with improved detection evasion capabilities while remaining focused on email credential threats. Recent targets of the group have included NGOs and think tanks that support government employees and military and intelligence officials, especially those supporting Ukraine.
The group is more than a standard phishing operation, however, with Microsoft noting that they meticulously study their targets and pose as trusted contacts to achieve their goals. The group identifies high-value targets and then crafts personalized phishing emails and develops the necessary infrastructure for credential theft. The victims, often unaware of the malicious intent, then unknowingly engage with these messages, leading to the compromise of their credentials.
Targets of Star Blizzard include former employees of the US intelligence community, personnel at U.S. defense contractors and officials at the Departments of Defense, State and Energy.
While the takedown is being celebrated by the Department of Justice, complete with a media release full of self-congratulatory quotes, in reality, seizing some domain names is nothing more than a minor speed bump in alleged Russian hacking activities.
“This takedown is likely only scratching the surface when it comes to FSB or other groups who have purchased domains to seed malignant websites,” Sean M. McNee, head of Threat Research at DomainTools LLC, told SIliconANGLE via email. “We have found that some domain hosting services sell domain registrations indiscriminately and are not always responsive when notified about malicious content or coordinated misinformation.”