beebright - stock.adobe.com

Microsoft files lawsuit to seize domains used by Russian spooks

Microsoft has been given permission to seize multiple domains used by the Russian state threat actor Star Blizzard as part of a coordinated disruption effort undertaken ahead of the US elections

The United States District Court for the District of Columbia has today (3 October) unsealed a civil action brought by Microsoft’s Digital Crimes Unit (DCU), including an order allowing it to seize 66 unique domains used by the Russian state threat actor known variously as Star Blizzard, Coldriver and Callisto.

Star Blizzard is alleged to have used these domains to spy on Microsoft customers globally in a lengthy campaign conducted through targeted spear phishing attempts. Victims include multiple civil society individuals organisations, such as journalists and media outlets, non-governmental organisations (NGOs) and think tanks.

The lawsuit is being filed along with the NGO Information Sharing and Analysis Center (NGOISAC) in coordination with the US Department of Justice (DOJ), which has itself already seized 41 additional domains attributed to Star Blizzard today. All told, this means more than 100 malicious websites will be taken out, expanding the scope of disruption to Star Blizzard’s activity.

“While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in US democratic processes is of utmost concern,” said Microsoft DCU assistant general counsel Steven Masada.

“It will also enable us to quickly disrupt any new infrastructure we identify through an existing court proceeding. Furthermore, through this civil action and discovery, Microsoft’s DCU and Microsoft Threat Intelligence will gather additional valuable intelligence about this actor and the scope of its activities, which we can use to improve the security of our products, share with cross-sector partners to aid them in their own investigations, and identify and assist victims with remediation efforts,” he said.

Described as “relentless” by Microsoft, Star Blizzard’s operations date back as far as 2017, although in the past two years the group has greatly expanded its capabilities, which have been deployed against targets not just in the US but across the Nato bloc.

Last year, the UK officially linked Star Blizzard to Russia’s FSB agency and sanctioned two individuals, named as Andrey Stanislavovich Korinets and Ruslan Aleksandrovich Peretyatko, associated with the operation’s work against targets in the UK, which included hack and leak attacks prior to the 2019 general election.

Most famously, as exposed by Computer Weekly investigative reporting, the group also attacked a former head of MI6 and stole and published thousands of emails from a network of hard Brexit supporters, supposedly as revenge for former prime minister Boris Johnson’s support for Ukraine.

Masada said that despite the setbacks and sanctions already imposed on Star Blizzard prior to today, the operation has remained remarkably persistent. Its operatives meticulously study their targets and spoof the identities of trusted contacts to gain their trust and achieve their goals.

It now believes that 82 of its customers have been targeted since January 2023, at a rate of about one attack every week.

“This frequency underscores the group’s diligence in identifying high-value targets, crafting personalised phishing emails, and developing the necessary infrastructure for credential theft. Their victims, often unaware of the malicious intent, unknowingly engage with these messages, leading to the compromise of their credentials. These attacks strain resources, hamper operations and stoke fear in victims – all hindering democratic participation,” said Masada.

An additional challenge in reaching this point has been Star Blizzard’s ability to adapt and obfuscate its activities and identity. It swiftly transitions its infrastructure to new domains whenever exposed, and has been observed doing so again after the publication of a report on its work in August 2024 by The Citizen Lab at the University of Toronto’s Munk School, and digital rights body Access Now.

Shared mission

Masada continued: “Today’s action is an example of the impact we can have against cyber crime when we work together. We applaud DOJ for their collaboration in this and other significant matters, and encourage governments globally to engage and embrace industry partners, such as Microsoft, in a shared mission of combatting increasingly sophisticated threats operating in cyber space.

“Microsoft’s DCU will continue our efforts to proactively disrupt cyber criminal infrastructure and collaborate with others across the private sector and with civil society, government agencies and law enforcement to fight back against those who seek to cause harm.”

As a best practice, Microsoft is advising all civil society groups to harden their security protections, add multifactor authentication (MFA) on personal and professional email accounts, and enrol the Microsoft AccountGuard programme, which offers additional, tailored protections.

However, said Redmond, these efforts must be coupled with the application of international norms to limit nation-state-backed cyber attacks, particularly those that target democratic processes.

It pointed out that Star Blizzard, and by extension Russia, is clearly violating the UN Framework for Responsible State Behaviour Online.

Read more about Russian threat activity

  • The NCSC and counterpart agencies from the US and other countries have exposed a long-running campaign of Russian cyber espionage and warfare conducted by GRU Unit 29155.
  • Government organisations and other bodies operating in Ukraine continue to be targeted by a relatively unsophisticated phishing campaign that has proven so effective for Russia’s cyber spooks that there are now multiple agencies involved.
  • TeamViewer says a Russian state-sponsored threat actor known as Midnight Blizzard gained accessed to the company's corporate network via compromised employee credentials.

Read more on Hackers and cybercrime prevention