On Thursday, Microsoft and the U.S. Department of Justice (DoJ) announced the seizure of 107 internet domains used by state-sponsored threat actors linked to Russia, aimed at facilitating computer fraud and abuse within the country.
“The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials,” stated Deputy Attorney General Lisa Monaco.
The activity is attributed to a threat actor known as COLDRIVER, which is also referred to as Blue Callisto, BlueCharlie (or TAG-53), Calisto, Dancing Salome, Gossamer Bear, Iron Frontier, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057. This group has been active since at least 2012 and is believed to operate as a unit within Center 18 of the Russian Federal Security Service (FSB).
In December 2023, both the U.K. and U.S. governments imposed sanctions on two group members—Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets—for their involvement in malicious credential harvesting activities and spear-phishing campaigns. In June 2024, the European Council also sanctioned the same individuals.
According to the DoJ, the newly seized 41 domains were utilized by these threat actors to “commit violations of unauthorized access to a computer to obtain information from a department or agency of the United States, unauthorized access to a computer to obtain information from a protected computer, and causing damage to a protected computer.”
These domains were reportedly part of a spear-phishing campaign aimed at the email accounts of the U.S. government and other victims, with the intention of gathering credentials and sensitive data.
Simultaneously, Microsoft announced that it has filed a civil action to seize 66 additional internet domains associated with COLDRIVER, which targeted over 30 civil society entities and organizations from January 2023 to August 2024. This included NGOs and think tanks that provide support to government employees, military personnel, and intelligence officials, particularly those assisting Ukraine and NATO countries such as the U.K. and the U.S. COLDRIVER’s focus on NGOs was previously documented by Access Now and the Citizen Lab in August 2024.
“Star Blizzard’s operations are relentless, exploiting the trust, privacy, and familiarity of everyday digital interactions,” remarked Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit (DCU). “They have been particularly aggressive in targeting former intelligence officials, Russian affairs experts, and Russian citizens residing in the U.S.”
Microsoft reported identifying 82 customers targeted by the adversary since January 2023, highlighting the group’s persistence in evolving tactics to achieve their strategic objectives.
“This frequency underscores the group’s diligence in identifying high-value targets, crafting personalized phishing emails, and developing the necessary infrastructure for credential theft,” Masada noted. “Their victims, often unaware of the malicious intent, unknowingly engage with these messages, leading to the compromise of their credentials.”
