DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks
(2024/10/03)
- Reference: 1727971213
- News link: https://www.theregister.co.uk/2024/10/03/russian_phishing_domains_seized/
- Source link:
The US Department of Justice and Microsoft have seized 107 websites used by Russian cyberspies in a phishing campaign to steal sensitive information from US government agencies, think tanks, and other victims.
Court orders targeted domains belonging to Russia's Callisto Group (aka Star Blizzard and Coldriver), a hacking unit of the Russian Federal Security Service (FSB) that has been attacking defense, intelligence, political orgs, and academia [1]since at least 2017 .
"The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials," US Deputy Attorney General Lisa Monaco said in a statement today announcing the FSB infrastructure disruption.
[2]
According to the DOJ’s warrant
[4]
[5]
Targeted victims “thus far” included US-based companies, former intelligence community employees, former and current Department of Defense and Department of State employees, United States military defense contractors, and staff at the Department of Energy.
As recently as August, the University of Toronto's Citizen Lab [6]warned of a massive, two-year espionage campaign during which Callisto hackers had been stealing user credentials and 2FA tokens from victims in the US and Europe.
[7]
Meanwhile, the Microsoft's court order authorized the take down of another 66 domains.
Between January 2023 and August 2024, Redmond spotted the Russians phishing 30 civil society entities and organizations, including journalists, think tanks, and NGOs, we're told.
"While we expect Star Blizzard to always be establishing new infrastructure, today's action impacts their operations at a critical point in time when foreign interference in US democratic processes is of utmost concern," Microsoft said in announcing the civil action. "It will also enable us to quickly disrupt any new infrastructure we identify through an existing court proceeding."
[8]Russian cyber snoops linked to massive credential-stealing campaign
[9]Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets
[10]Google TAG: Kremlin cyber spies move into malware with a custom backdoor
[11]Reckon Russian spies are lurking in your inbox? Check for these IOCs, Microsoft says
The Feds' website takedown also follows [12]criminal charges levied against two alleged Callisto-affiliated individuals, FSB officer Ruslan Aleksandrovich Peretyatko and co-conspirator Andrey Stanislavovich Korinets, for their supposed roles in a scheme to break into computer networks in the US, the UK, other NATO countries, and Ukraine on behalf of the Russian government.
In December 2023, seven government agencies from Australia, Canada, New Zealand, the US, and the UK [13]sounded the alarm about Callisto's phishing techniques, while UK Foreign Office minister Leo Docherty [14]accused the FSB crew of hacking private conversations of high-profile UK politicians, then "selectively leak[ing] and amplify[ing] information" for political meddling. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2017/04/13/apt_crew_abuses_leaked_hackingteam_spyware/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zv8UA4p0bT2mC0zlRIcRWwAAAE8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://regmedia.co.uk/2024/10/03/callistogroupwarrant.pdf
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zv8UA4p0bT2mC0zlRIcRWwAAAE8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zv8UA4p0bT2mC0zlRIcRWwAAAE8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/08/14/russias_fsb_cyber_phishing/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zv8UA4p0bT2mC0zlRIcRWwAAAE8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2024/08/14/russias_fsb_cyber_phishing/
[9] https://www.theregister.com/2023/12/08/five_eyes_star_blizzard_warning/
[10] https://www.theregister.com/2024/01/18/google_tag_coldriver_malware/
[11] https://www.theregister.com/2022/08/16/microsoft_russian_spies/
[12] https://www.justice.gov/opa/pr/two-russian-nationals-working-russias-federal-security-service-charged-global-computer
[13] https://www.theregister.com/2023/12/08/five_eyes_star_blizzard_warning/
[14] https://www.politico.eu/article/uk-accuses-russia-of-hacking-politicians-and-journali/
[15] https://whitepapers.theregister.com/
Court orders targeted domains belonging to Russia's Callisto Group (aka Star Blizzard and Coldriver), a hacking unit of the Russian Federal Security Service (FSB) that has been attacking defense, intelligence, political orgs, and academia [1]since at least 2017 .
"The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials," US Deputy Attorney General Lisa Monaco said in a statement today announcing the FSB infrastructure disruption.
[2]
According to the DOJ’s warrant
[3]PDF
, the 41 seized domains “were used or intended to be used by members of the Callisto Group in an ongoing and sophisticated spear phishing campaign with the goal of gaining unauthorized access to the computers and email accounts of victims, to then steal valuable information and sensitive United States government intelligence.”[4]
[5]
Targeted victims “thus far” included US-based companies, former intelligence community employees, former and current Department of Defense and Department of State employees, United States military defense contractors, and staff at the Department of Energy.
As recently as August, the University of Toronto's Citizen Lab [6]warned of a massive, two-year espionage campaign during which Callisto hackers had been stealing user credentials and 2FA tokens from victims in the US and Europe.
[7]
Meanwhile, the Microsoft's court order authorized the take down of another 66 domains.
Between January 2023 and August 2024, Redmond spotted the Russians phishing 30 civil society entities and organizations, including journalists, think tanks, and NGOs, we're told.
"While we expect Star Blizzard to always be establishing new infrastructure, today's action impacts their operations at a critical point in time when foreign interference in US democratic processes is of utmost concern," Microsoft said in announcing the civil action. "It will also enable us to quickly disrupt any new infrastructure we identify through an existing court proceeding."
[8]Russian cyber snoops linked to massive credential-stealing campaign
[9]Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets
[10]Google TAG: Kremlin cyber spies move into malware with a custom backdoor
[11]Reckon Russian spies are lurking in your inbox? Check for these IOCs, Microsoft says
The Feds' website takedown also follows [12]criminal charges levied against two alleged Callisto-affiliated individuals, FSB officer Ruslan Aleksandrovich Peretyatko and co-conspirator Andrey Stanislavovich Korinets, for their supposed roles in a scheme to break into computer networks in the US, the UK, other NATO countries, and Ukraine on behalf of the Russian government.
In December 2023, seven government agencies from Australia, Canada, New Zealand, the US, and the UK [13]sounded the alarm about Callisto's phishing techniques, while UK Foreign Office minister Leo Docherty [14]accused the FSB crew of hacking private conversations of high-profile UK politicians, then "selectively leak[ing] and amplify[ing] information" for political meddling. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2017/04/13/apt_crew_abuses_leaked_hackingteam_spyware/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zv8UA4p0bT2mC0zlRIcRWwAAAE8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://regmedia.co.uk/2024/10/03/callistogroupwarrant.pdf
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zv8UA4p0bT2mC0zlRIcRWwAAAE8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zv8UA4p0bT2mC0zlRIcRWwAAAE8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/08/14/russias_fsb_cyber_phishing/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zv8UA4p0bT2mC0zlRIcRWwAAAE8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2024/08/14/russias_fsb_cyber_phishing/
[9] https://www.theregister.com/2023/12/08/five_eyes_star_blizzard_warning/
[10] https://www.theregister.com/2024/01/18/google_tag_coldriver_malware/
[11] https://www.theregister.com/2022/08/16/microsoft_russian_spies/
[12] https://www.justice.gov/opa/pr/two-russian-nationals-working-russias-federal-security-service-charged-global-computer
[13] https://www.theregister.com/2023/12/08/five_eyes_star_blizzard_warning/
[14] https://www.politico.eu/article/uk-accuses-russia-of-hacking-politicians-and-journali/
[15] https://whitepapers.theregister.com/
Literally the first six words of the article
DS999
Are "The US Department of Justice and"
The DOJ is running this, and Microsoft is helping / feeding them the information they learn from their customers (which includes pretty much everyone)
Re: Literally the first six words of the article
Yet Another Anonymous coward
Are "The US Department of Justice and"
So are the domains seized outside the US aswell ?
Re: Literally the first six words of the article
DS999
The DOJ works with law enforcement agencies all over the world, though if a domain is registered by a US based registrar they may not need to involve them.
I fail to see how Microsoft are now the internet police and seizing domains?
Sure if they were impersonating Microsoft owned websites, purchased the domains through a registrar operated by MS, or even used false details so it appeared Microsoft was the ones registering the domains, then i could understand their involvement. But no where in the article does it mentioned any of those links?
My personal opinion is that if Microsoft noticed these domains were used for illegal activities then report it to the police and then its law enforcement who should be going after them and getting them seized, not MS or any other tech company who has no direct involvement.