U.S. and Microsoft Take Action Against Russian Cyber Fraud by Seizing 107 Domains

U.S. and Microsoft Take Action Against Russian Cyber Fraud by Seizing 107 Domains

In a coordinated effort to combat cyber fraud the U.S. Department of Justice (DoJ) in partnership with Microsoft announced the seizure of 107 internet domains that were used by Russian state-sponsored threat actors to facilitate various forms of computer fraud and abuse. This significant action highlights ongoing concerns regarding cyber threats emanating from Russia targeting American citizens and organizations.

Major Cyber Fraud Operation Exposed

Deputy Attorney General Lisa Monaco stated that the Russian government orchestrated a scheme to steal sensitive information from Americans using seemingly legitimate email accounts. These fraudulent activities were designed to trick victims into disclosing their account credentials ultimately compromising their personal and financial information. The threat group responsible for these actions is identified as COLDRIVER which is also known by several aliases including Blue Callisto BlueCharlie Calisto Dancing Salome Gossamer Bear Iron Frontier Star Blizzard TA446 and UNC4057. This group has been active since at least 2012 and is believed to operate as an operational unit within Center 18 of the Russian Federal Security Service (FSB).

Sanctions Against Key Operatives

The malicious activities of COLDRIVER were previously recognized by both the U.K. and U.S. governments which sanctioned two members of the group Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets in December 2023. These sanctions were in response to their involvement in credential harvesting and spear-phishing campaigns targeting individuals and organizations. In June 2024 the European Council also imposed sanctions against the same individuals underlining the international condemnation of their actions.

Seizure of Domains and Targeting Tactics

According to the DoJ the newly seized domains were utilized by COLDRIVER to engage in unauthorized access to computers to obtain sensitive information from various U.S. agencies. These domains played a crucial role in spear-phishing campaigns aimed at U.S. government email accounts and other potential victims in an attempt to gather valuable credentials and data.

In conjunction with this seizure Microsoft announced that it had filed a civil action to seize an additional 66 internet domains that were also linked to COLDRIVER. These domains targeted more than 30 civil society entities and organizations between January 2023 and August 2024 including non-governmental organizations and think tanks. Many of these organizations provide support to government employees military officials and intelligence operatives particularly in relation to the conflict in Ukraine and support for NATO allies such as the U.S. and U.K.

The Impact on Cybersecurity

Steven Masada assistant general counsel at Microsoft’s Digital Crimes Unit (DCU) remarked on the relentless operations of COLDRIVER stating that the group exploits trust privacy and the familiarity of everyday digital interactions. He noted that the group has shown aggressive tactics in targeting individuals such as former intelligence officials Russian affairs experts and even Russian citizens residing in the U.S.

Microsoft reported that it has identified 82 customers who have been targeted by COLDRIVER since January 2023 indicating the group's persistent efforts to evolve its tactics and achieve strategic goals. Masada emphasized the frequency of these attacks showcasing the group’s diligence in identifying high-value targets crafting personalized phishing emails and developing infrastructure for credential theft. Victims often remain unaware of the malicious intent behind the communications leading to significant risks of credential compromise.

Conclusion

The seizure of these domains represents a significant step in countering the persistent threats posed by state-sponsored cyber actors. Both the U.S. and Microsoft remain committed to safeguarding individuals and organizations against such fraudulent schemes emphasizing the importance of cybersecurity in an increasingly digital world.

Summary

The U.S. Department of Justice and Microsoft have seized 107 domains linked to Russian cyber fraud activities attributed to the threat group COLDRIVER. This operation reveals a coordinated effort to combat cybercrime targeting American citizens and organizations. The actions follow prior sanctions against key group members and highlight the ongoing risks posed by state-sponsored cyber threats.