Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Identity & Access Management

US, Microsoft Seize Domains Used in Russian Spear-Phishing

FSB Hackers Stripped of 107 Domains Used to Steal Credentials
US, Microsoft Seize Domains Used in Russian Spear-Phishing
A Russian FSB spear-phishing operation lost more than 100 domains. (Image: Shutterstock)

The U.S. Department of Justice and Microsoft seized more than 100 websites allegedly used by a Russian intelligence cyberespionage operation with a fondness for spear-phishing.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

Federal investigators told a San Francisco federal judge that the Federal Security Service threat actor - tracked as Callisto Group, Coldriver and Star Blizzard - is targeting members of the national security apparatus. Recipients of individually crafted, malicious emails include current or former employees of American intelligence agencies and the Pentagon, as well as defense contractors.

The federal operation seized 41 web domains, while a court order obtained by Microsoft resulted in the seizure of 66 domains.

In its court complaint, the computing giant said FSB hackers used the domains to masquerade as individuals known by the targets and to publish websites that mimic Microsoft login pages. Stolen credentials are an opportunity to access inboxes "to steal more credentials, personal information and confidential information to further Russian interests." Kremlin hackers also deployed the open source Evilginx framework to harvest session cookies to bypass multifactor authentication.

Microsoft said it observed the threat actor targeting more than 30 civil society organizations including journalists, think tanks and non-governmental organizations. Research by two NGOs published in August attributed a spear-phishing campaign targeting Russian dissidents and rights groups across the United States and Europe to Callisto (see: Russian FSB Hackers Behind Espionage Campaign Targeting NGOs).

The FSB threat actor has been active since at least 2017, undertaking a nearly 10-year campaign against British lawmakers in multiple political parties (see: UK and US Accuse Russian FSB of 'Hack and Leak' Operation).

Federal prosecutors in December indicted two Russian nationals for Callisto Group hacking, one of them an FSB officer. A late 2023 article published by English-speaking countries that make up the Five Eyes intelligence alliance warned that the group was still active.

The Thursday seizure of 107 domains is hardly likely to spell the end of Callisto Group's spear-phishing activity. "Once their active infrastructure is exposed, they swiftly transition to new domains to continue their operation," Microsoft said.

Even if the effects are temporary, the seizures' timing nonetheless comes "at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern," Microsoft added. "Rebuilding infrastructure takes time, absorbs resources and costs money."

During the countdown to the Nov. 5, 2024, U.S. presidential election, the federal government has imposed additional sanctions on Russian state media and busted an artificial-intelligence-driven disinformation network run by the Russian domestic intelligence agency and affiliates of a state-run propaganda broadcaster (see: US Busts Russian AI-Driven Disinformation Operation).


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.