Microsoft and US Government Disrupt Russian Star Blizzard Operations

Written by

Microsoft, in coordination with the US government, has seized over 100 websites used by the notorious Russian nation-state threat actor Star Blizzard.

A US court authorized Microsoft’s Digital Crimes Unit (DCU) to seize 66 unique domains used by Star Blizzard to attack Microsoft customers globally after unsealing a civil action brought by the tech giant.

The US Department of Justice (DoJ) simultaneously seized 41 additional domains attributed to the same actor.

While Star Blizzard is likely to establish new infrastructure, the seizure of these domains is expected to significantly disrupt the group’s ability to interfere with the US election in November.

“Rebuilding infrastructure takes time, absorbs resources, and costs money. By collaborating with DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard,” Microsoft said in a blog.

Microsoft added that the existing court proceeding that authorized the takedown will enable it to quickly disrupt any new infrastructure identified as being used by Star Blizzard in the future.

Additionally, the tech giant plans to analyze the seized domains to gather more intelligence about the group and the scope of its activities.

Star Blizzard’s Targeting of Democratic Processes

Star Blizzard, aka Coldriver, has been active since at least 2017 and focused on undermining the democratic processes of Western nations, including in the US and UK.

The group primarily uses sophisticated social engineering attacks to steal the credentials of individuals involved in policy decisions and democratic processes, such as elected officials, think tanks, journalists and public sector employees.

The threat actor typically masquerades as an expert in a particular field, to build a rapport with the target before sending a phishing link.

In December 2023, the UK government and allies formally attributed Star Blizzard to the Russian Federal Security Service (FSB) and highlighted the group’s cyber campaigns designed to interfere in UK politics and democratic processes.

The group is adept at obfuscating its identity, enabling it to transition to new domains to continue operations.

Microsoft said it has identified 82 customers targeted by the group since January 2023, at a rate of approximately one attack per week.

“This frequency underscores the group's diligence in identifying high-value targets, crafting personalized phishing emails, and developing the necessary infrastructure for credential theft,” Microsoft wrote.

“Their victims, often unaware of the malicious intent, unknowingly engage with these messages leading to the compromise of their credentials. These attacks strain resources, hamper operations and stoke fear in victims – all hindering democratic participation,” the firm added.

Growing Ability to Disrupt Attackers

The action taken by Microsoft and the US government is the latest in a number of operations by authorities to disrupt technical infrastructure used by cyber threat groups.

On October 1, the UK National Crime Agency (NCA) sanctioned 16 members of Russian hacker group Evil Corp and has identified its links to prolific ransomware group, LockBit.

Simultaneously, Europol announced that four suspected LockBit actors have been arrested by law enforcement, while servers critical for the group’s infrastructure have been seized.

This update was a result of phase three of Operation Cronos, a global law enforcement effort which first that took down much of LockBit’s infrastructure in February 2024.

Microsoft has vowed to continue its efforts to proactively disrupt cybercriminal infrastructure in coordination with the private sector, civil society, government agencies and law enforcement.

Image credit: Ralf Liebhold / Shutterstock.com

What’s hot on Infosecurity Magazine?