Microsoft, DOJ Intercept Russia-Backed Hacker Star Blizzard

Microsoft and the U.S. Department of Justice (DOJ) have taken down more than 100 domains used by Star Blizzard, a Russia-backed hacking unit, to target more than two dozen civil society organizations.

On Thursday, the U.S. District Court for the District of Columbia unsealed a civil action brought by Microsoft’s Digital Crimes Unit (DCU), including its order authorizing Microsoft to seize 66 unique domains used by Star Blizzard. The DOJ simultaneously seized 41 additional domains attributed to the same actor.

Star Blizzard, also known as ColdRiver, used the domains in cyberattacks targeting Microsoft customers globally, including throughout the United States. Between January 2023 and August 2024, Microsoft saw Star Blizzard target over 30 civil society organizations, including journalists, think tanks and non-governmental organizations (NGOs), by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities.

Star Blizzard Likely to Establish New Infrastructure

“Together, we have seized more than 100 websites,” Steven Masada, DCU’s assistant general counsel wrote in a blog. “Rebuilding infrastructure takes time, absorbs resources and costs money. By collaborating with the DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard.  While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern. It will also enable us to quickly disrupt any new infrastructure we identify through an existing court proceeding.”

Related:Sophos CEO Joe Levy on Lessons Learned from CrowdStrike-Microsoft Outage

In addition, DCU and Microsoft Threat Intelligence will gather additional intelligence about Star Blizzard and the scope of its activities, “which we can use to improve the security of our products, share with cross-sector partners to aid them in their own investigations, and identify and assist victims with remediation efforts,” Masada said.

Star Blizzard is persistent, he said. The group meticulously studies its targets and poses as trusted contacts to achieve their goals.

"Since January 2023, Microsoft has identified 82 customers targeted by this group, at a rate of approximately one attack per week,” Masada said. “This frequency underscores the group’s diligence in identifying high-value targets, crafting personalized phishing emails, and developing the necessary infrastructure for credential theft. Their victims, often unaware of the malicious intent, unknowingly engage with these messages leading to the compromise of their credentials. These attacks strain resources, hamper operations and stoke fear in victims, all hindering democratic participation.”

Related:Cynomi vCISO Platform: 'Proof Is in the Pudding'

Putting Star Blizzard, Others On Notice 

Casey Ellis, Bugcrowd’s founder and chief strategy officer, said the takedown serves a few purposes.

Bugcrowd's Casey Ellis

“It puts ColdRiver and others on notice that their activities are being detected and that they aren’t operating with impunity, which has the benefit of sowing internal doubt and confusion within the operation, which will chill their activities for a while,” he said. “Importantly, the announcement and the amount of signaling the U.S. government is doing around this takedown is definitely intended to send a message, both to foreign adversaries as well as those being protected here. Russia is a real adversary, with real cyber-operations underway.”

Guy Rosenthal, DoControl’s vice president of product, said this is a significant blow to Star Blizzard’s operations, but it's not without potential consequences. While it will disrupt their activities in the short term, “we shouldn't expect this to be the end of ColdRiver or similar groups.” In fact, this action might even paint a bigger target on Microsoft's back.

Related:Fortinet Engage Partner Program Evolves to Services Model

DoControl's Guy Rosenthal

These takedowns do have value, “but let's be realistic — this is an ongoing battle," he said.

“As long as there's valuable information to be stolen, there will be actors trying to steal it,” Rosenthal added. “What's crucial is that organizations don't let their guard down. They need to assume that threats like ColdRiver are constantly evolving and looking for new ways in. While we should applaud this takedown, it's not a reason to relax. It's a call to double down on our cybersecurity efforts and stay vigilant against the next wave of attacks, whatever form they may take, and that includes keeping a close eye on our Microsoft environments for any signs of retaliatory action.”