Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Identity & Access Management
US, Microsoft Seize Domains Used in Russian Spear-Phishing
FSB Hackers Stripped of 107 Domains Used to Steal CredentialsThe U.S. Department of Justice and Microsoft seized more than 100 websites allegedly used by a Russian intelligence cyberespionage operation with a fondness for spear-phishing.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
Federal investigators told a San Francisco federal judge that the Federal Security Service threat actor - tracked as Callisto Group, Coldriver and Star Blizzard - is targeting members of the national security apparatus. Recipients of individually crafted, malicious emails include current or former employees of American intelligence agencies and the Pentagon, as well as defense contractors.
The federal operation seized 41 web domains, while a court order obtained by Microsoft resulted in the seizure of 66 domains.
In its court complaint, the computing giant said FSB hackers used the domains to masquerade as individuals known by the targets and to publish websites that mimic Microsoft login pages. Stolen credentials are an opportunity to access inboxes "to steal more credentials, personal information and confidential information to further Russian interests." Kremlin hackers also deployed the open source Evilginx framework to harvest session cookies to bypass multifactor authentication.
Microsoft said it observed the threat actor targeting more than 30 civil society organizations including journalists, think tanks and non-governmental organizations. Research by two NGOs published in August attributed a spear-phishing campaign targeting Russian dissidents and rights groups across the United States and Europe to Callisto (see: Russian FSB Hackers Behind Espionage Campaign Targeting NGOs).
The FSB threat actor has been active since at least 2017, undertaking a nearly 10-year campaign against British lawmakers in multiple political parties (see: UK and US Accuse Russian FSB of 'Hack and Leak' Operation).
Federal prosecutors in December indicted two Russian nationals for Callisto Group hacking, one of them an FSB officer. A late 2023 article published by English-speaking countries that make up the Five Eyes intelligence alliance warned that the group was still active.
The Thursday seizure of 107 domains is hardly likely to spell the end of Callisto Group's spear-phishing activity. "Once their active infrastructure is exposed, they swiftly transition to new domains to continue their operation," Microsoft said.
Even if the effects are temporary, the seizures' timing nonetheless comes "at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern," Microsoft added. "Rebuilding infrastructure takes time, absorbs resources and costs money."
During the countdown to the Nov. 5, 2024, U.S. presidential election, the federal government has imposed additional sanctions on Russian state media and busted an artificial-intelligence-driven disinformation network run by the Russian domestic intelligence agency and affiliates of a state-run propaganda broadcaster (see: US Busts Russian AI-Driven Disinformation Operation).