Microsoft and DOJ seized the attack infrastructure used by Russia-linked Callisto Group

Pierluigi Paganini October 04, 2024

Microsoft and the U.S. DoJ seized over 100 domains used by the Russia-linked Callisto Group for launching attacks on U.S. government and nonprofits.

The Justice Department revealed the unsealing of a warrant to seize 41 domains used by Russia-linked Callisto Group (formerly SEABORGIUM, also known as COLDRIVER) for computer fraud in the United States.

US DoJ coordinated its operation with Microsoft, this IT giant took civil action to restrain 66 additional domains.

“Microsoft’s Digital Crimes Unit (DCU) is disrupting the technical infrastructure used by a persistent Russian nation-state actor Microsoft Threat Intelligence tracks as Star Blizzard. Today, the United States District Court for the District of Columbia unsealed a civil action brought by Microsoft’s DCU, including its order authorizing Microsoft to seize 66 unique domains used by Star Blizzard in cyberattacks targeting Microsoft customers globally, including throughout the United States.” reads the post published by Microsoft. “Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations – journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive – by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities.  “

A partially unsealed affidavit reveals that the APT group targeted a wide range of U.S. entities, including companies and current or former employees of the U.S. Intelligence Community, Department of Defense, Department of State, Department of Energy, and military defense contractors.

“Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action – using all tools to disrupt and deter malicious, state-sponsored cyber actors,” said Deputy Attorney General Lisa Monaco. “The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials. With the continued support of our private sector partners, we will be relentless in exposing Russian actors and cybercriminals and depriving them of the tools of their illicit trade.”

In December 2023, the UK National Cyber Security Centre (NCSC) and Microsoft reported that the Russia-linked APT group Callisto Group was targeting organizations worldwide. The nation-state actor is carrying out spear-phishing attacks for cyberespionage purposes.

The Callisto APT group (aka “Seaborgium“, “Star Blizzard”, “ColdRiver”, “TA446”) targeted government officials, military personnel, journalists and think tanks since at least 2015.

In the past, the group’s activity involved persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.

In December 2023, the Reddit security team attributed the leak of US-UK trade documents through its platform to a coordinated information campaign linked to Russia.

“We were recently made aware of a post on Reddit that included leaked documents from the UK,” the statement said. “We investigated this account and the accounts connected to it, and today we believe this was part of a campaign that has been reported as originating from Russia.”

“Earlier this year Facebook discovered a Russian campaign on its platform, which was further analyzed by the Atlantic Council and dubbed ‘Secondary Infektion,’” Reddit’s announcement said. “Suspect accounts on Reddit were recently reported to us, along with indicators from law enforcement, and we were able to confirm that they did indeed show a pattern of coordination.”

According to a press release published by the UK government, the UK and its allies observed a series of attempts by the Russian Intelligence Services to target high-profile individuals and entities through cyber operations. The nation-state actor aimed at obtaining information to interfere in UK politics and democratic processes.   

The UK Government linked the activity to Centre 18, a unit within Russia’s Intelligence Services FSB tracked as  Star Blizzard.

“While some attacks resulted in documents being leaked, attempts to interfere with UK politics and democracy have not been successful.” reads the press release. ” The group has also selectively leaked and amplified the release of information in line with Russian confrontation goals, including to undermine trust in politics in the UK and likeminded states.”

The UK believes that the FSB coordinated at least the following activities:

  • Cyber attacks against parliamentarians from multiple political parties since at least 2015.
  • The theft of UK-US trade documents leaked before the 2019 General Election. The leak was previously attributed to the Russian state via a Written Ministerial Statement in 2020.
  • The 2018 hack of the Institute for Statecraft, a UK think tank engaged in initiatives to safeguard democracy against disinformation. The state-sponsored hackers gained access to the account of its founder Christopher Donnelly from December 2021.
  • Attacks against universities, journalists, the public sector, non-governmental organizations, and other civil society organizations, many of which play a crucial role in UK democracy.

The National Crime Agency investigation identifies two members of Star Blizzard and the UK and US governments sanctioned them. The two individuals are:

  • Ruslan Aleksandrovich PERETYATKO, who is a Russian FSB intelligence officer and a member of Star Blizzard AKA the Callisto Group 
  • Andrey Stanislavovich KORINETS, AKA Alexey DOGUZHIEV, who is a member of Star Blizzard AKA the Callisto Group 

Back to nowadays, Microsoft admitted that disrupting the domains will not completely stop the group’s spear-phishing activities.

“While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern,” the company said.

“Together, we have seized more than 100 websites. Rebuilding infrastructure takes time, absorbs resources, and costs money. By collaborating with DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard.” concludes Microsoft. “While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern. It will also enable us to quickly disrupt any new infrastructure we identify through an existing court proceeding. Furthermore, through this civil action and discovery, Microsoft’s DCU and Microsoft Threat Intelligence will gather additional valuable intelligence about this actor and the scope of its activities, which we can use to improve the security of our products, share with cross-sector partners to aid them in their own investigations and identify and assist victims with remediation efforts. ”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Callisto Group)



you might also like

leave a comment