In a significant win against cybercrime, Microsoft, in collaboration with the U.S. Department of Justice (DOJ), successfully disrupted the operations of a Russian-backed hacking group known as Star Blizzard (also called ColdRiver or Callisto Group).
Between January 2023 and August 2024, Star Blizzard launched persistent spear-phishing campaigns targeting civil society organizations, U.S. government agencies, and private companies. The group's sophisticated attacks aimed to steal sensitive information and undermine democratic processes globally.
On October 3, 2024, the U.S. District Court for the District of Columbia unsealed a civil action authorizing Microsoft to seize 66 domains tied to Star Blizzard's cyberattacks. The DOJ seized 41 additional domains simultaneously, totaling more than 100. Star Blizzard used these domains to carry out cyber espionage and phishing attacks targeting high-value victims such as journalists, think tanks, NGOs, U.S. military contractors, and the Department of Energy, which oversees nuclear programs.
Microsoft's Digital Crimes Unit (DCU) emphasized the significance of this action. Steven Masada, Assistant General Counsel at Microsoft's DCU, explained, "While we expect Star Blizzard to always be establishing new infrastructure, today's action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern."
Star Blizzard has been active since at least 2017, but in recent years, the group has enhanced its ability to evade detection, focusing on credential theft through spear-phishing. Their attacks target not only civil society groups but also former intelligence officials, military personnel, and those supporting Ukraine and NATO countries, including the United States and the United Kingdom.
While this takedown delivers a significant blow to Star Blizzard, cybersecurity experts caution that the fight is far from over. Casey Ellis, founder of Bugcrowd, highlighted the multiple goals of the takedown, saying, "Disrupting existing operations, their infrastructure, and their operatives… [it] sows internal doubt and confusion within the operation, which will chill their activities for a while." Ellis also emphasized that this action sends a message to Russia and other foreign adversaries that their cyber operations are being monitored.
Stephen Kowski, Field CTO at SlashNext, echoed this sentiment, noting that sophisticated threat actors like Star Blizzard are highly adaptable and can quickly rebuild. "While the takedown is a significant blow to ColdRiver's operations... the key to long-term security lies in continuous monitoring and rapid detection of new phishing domains and tactics as they emerge," Kowski said. He stressed the importance of AI-powered tools that block malicious URLs in real time.
Despite the success of this operation, experts warn that state-sponsored groups like Star Blizzard will likely retaliate and regroup. Guy Rosenthal, Vice President of Product at DoControl, emphasized that while this action disrupts their activities, it may also provoke an aggressive response: "We shouldn't expect this to be the end of ColdRiver or similar groups... we've seen this pattern before—after Microsoft took action against the NICKEL group in 2021, there was a noticeable uptick in attempts to breach Microsoft and its customers' systems."
Rosenthal and others agree that while takedowns are essential, they are just one part of the giant cybersecurity puzzle. Organizations must remain vigilant, continually adapt their defenses, and leverage real-time threat intelligence to anticipate future attacks. Microsoft has urged civil society groups to harden their security measures by adopting multi-factor authentication and enrolling in programs like Microsoft AccountGuard, which provides an additional layer of monitoring and protection from nation-state attacks.
This joint action by Microsoft and the DOJ underscores the importance of collaboration between the private sector, government agencies, and civil society in defending against evolving cyber threats. While the takedown of these domains tied to Star Blizzard is a significant achievement, it reminds us of the relentless nature of nation-state actors and the ongoing need for vigilance in the fight against cybercrime. "This is an ongoing battle," said Rosenthal. "As long as there's valuable information to be stolen, there will be actors trying to steal it."
As cyberattacks evolve, the focus must remain on building robust defenses, leveraging cutting-edge technologies, and staying ahead of increasingly sophisticated threat actors.
Follow SecureWorld News for more stories related to cybersecurity.