U.S. and Microsoft Strike Major Blow to Russian Cyber Fraud Seizing 107 Domains in Global Crackdown
In a major crackdown against cyber fraud, Microsoft and the U.S. Department of Justice (DoJ) recently announced the seizure of 107 internet domains used by Russian state-sponsored cybercriminals. This effort is part of an ongoing battle to curb cyberattacks, particularly those linked to sensitive information theft and the abuse of digital trust.
Table of Contents
The Russian Connection: Targeting Americans’ Data
These domains, run by cyber threat actors tied to the Russian government, were primarily used to facilitate computer fraud and abuse. The group's goal? To steal Americans' sensitive information by luring victims into disclosing login credentials via fake but convincing email accounts. Deputy Attorney General Lisa Monaco stated, “The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials.”
The culprits behind these cyberattacks are attributed to a group known as COLDRIVER. While the name may not immediately ring a bell, the group is notorious under a variety of aliases: Blue Callisto, BlueCharlie, Dancing Salome, Gossamer Bear, Star Blizzard, and more. COLDRIVER, also referred to as TAG-53 and UNC4057, is reportedly an operational unit under Russia's Federal Security Service (FSB), active since at least 2012.
Sanctions and the Growing Pressure on COLDRIVER
In recent years, law enforcement efforts have ramped up against the group. In December 2023, the U.K. and U.S. governments imposed sanctions on two of COLDRIVER’s prominent members: Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets. These individuals were singled out for their roles in harvesting credentials and launching spear-phishing campaigns—highly targeted efforts aimed at infiltrating the systems of U.S. government officials, military personnel, and civil society organizations. Further sanctions came from the European Council in June 2024, continuing the international pressure on the group.
The Domains - A Gateway to Cyber Intrusions
Among the 107 domains seized, 41 were primarily used by the attackers to execute spear-phishing campaigns against the U.S. government. These campaigns targeted high-level email accounts with the aim of stealing credentials and accessing valuable, often classified, information. This tactic is a key part of COLDRIVER’s operational playbook, blending stealth and social engineering to trick users into compromising sensitive systems.
The DoJ noted that the threat actors violated multiple computer access laws, including unauthorized access to government systems and protected computers. These malicious actions caused significant damage, underlining the persistent and evolving nature of modern cybercrime.
Microsoft’s Civil Action in Tackling COLDRIVER’s Network
Parallel to the domain seizures, Microsoft took legal steps to neutralize 66 additional internet domains associated with COLDRIVER. These domains were used to target over 30 civil society entities and organizations between January 2023 and August 2024, primarily focusing on NGOs and think tanks that support government employees, military personnel, and intelligence officials. The group’s operations spanned across NATO countries like the U.K. and the U.S., with a particular interest in organizations providing support to Ukraine—a clear indicator of Russia's geopolitical goals.
Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit (DCU), highlighted the severity of these campaigns. "Star Blizzard's operations are relentless, exploiting the trust, privacy, and familiarity of everyday digital interactions," he remarked. He emphasized that the group has been particularly aggressive in targeting former intelligence officials, experts on Russian affairs, and even Russian citizens residing in the U.S.
COLDRIVER’s Relentless Pursuit of Data
Since January 2023, Microsoft identified 82 customers who have been targeted by COLDRIVER, a reflection of the group’s persistence. "Their frequency underscores the group's diligence in identifying high-value targets, crafting personalized phishing emails, and developing the necessary infrastructure for credential theft," Masada added. This relentless pursuit demonstrates that the group is constantly refining its methods to stay ahead of defensive measures.
Victims, often unaware of the malicious intent behind these phishing emails, unknowingly engage with these fraudulent messages. As a result, their credentials are compromised, giving cybercriminals access to sensitive data and high-value networks.
A Step Forward in the Fight Against Cybercrime
The joint efforts of Microsoft and the U.S. government in seizing these domains mark a critical victory in the ongoing war against state-sponsored cyberattacks. While this crackdown disrupts COLDRIVER’s operations for now, the group’s history suggests that they will continue to evolve, making it crucial for governments, organizations, and individuals to remain vigilant.
The seizure of these domains is just one step in a broader effort to protect sensitive information, secure digital trust, and hold cybercriminals accountable. As cyber threats continue to evolve, the importance of robust security measures and coordinated global responses cannot be overstated.