Microsoft and DOJ disrupt powerful Russian hacking group, over 100 domains seized in major cybersecurity operation

Microsoft and the U.S. Department of Justice (DOJ) have seized more than 100 internet domains linked to a sophisticated Russian hacking group. This joint action, announced on October 4, 2024, marks a major blow to the cyber espionage efforts of the group known as the “Callisto Group” or “Star Blizzard,” which has been associated with Russia’s Federal Security Service (FSB).

Russian hacking group operation scope

The operation involved the seizure of 107 domains in total:

• The DOJ seized 41 internet domains used by Russian intelligence agents and their proxies.
• Microsoft’s Digital Crimes Unit (DCU) seized an additional 66 unique domains operated by the same group.

This coordinated effort aims to disrupt an ongoing and sophisticated spear-phishing campaign designed to steal sensitive information from U.S. government computers and email accounts.

Targets of the hacking campaign

The Callisto Group’s targets were wide-ranging and strategically significant, including:

• Former U.S. intelligence employees
• Current and former Department of Defense personnel
• Department of State employees
• Department of Energy staff
• U.S. military defense contractors
• U.S.-based companies

Additionally, Microsoft observed that between January 2023 and August 2024, the group targeted over 30 civil society organizations, including journalists, think tanks, and non-governmental organizations (NGOs) crucial to democratic processes.

The Russian hacking group’s tactics

The Callisto Group, active since at least 2017, employed sophisticated spear-phishing techniques to gain unauthorized access to their targets’ computers and email accounts. Their methods included:

• Using seemingly legitimate email accounts to trick victims into revealing their credentials.
• Crafting personalized phishing emails to high-value targets.
• Developing infrastructure for credential theft.
• Reusing stolen credentials to access victims’ other personal and corporate accounts, as well as government portals.

Impact of the operation

This operation represents a significant disruption to the Russian-backed hacking group’s activities:

• Immediate disruption: The seizure of these domains will force the group to rebuild their infrastructure, a process that consumes time, resources, and money.
• Intelligence gathering: The seizures will enable investigators to gain valuable intelligence about the Russian state actors, which can be used to improve product security and assist victims.
• Protecting democratic processes: The action comes at a critical time when foreign interference in U.S. democratic processes is of utmost concern.
• Collaboration showcase: This operation demonstrates the effectiveness of public-private partnerships in combating cyber threats.

Official statements from DOJ and Microsoft

Deputy Attorney General Lisa Monaco emphasized the significance of this operation:

“The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials. With the continued support of our private sector partners, we will be relentless in exposing Russian actors and cybercriminals and depriving them of the tools of their illicit trade.”

Steven Masada, assistant general counsel of Microsoft’s Digital Crimes Unit, added:

“By collaborating with DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard.”

Looking ahead

While this operation deals a significant blow to the Callisto Group’s activities, both Microsoft and the DOJ acknowledge that it won’t completely stop the group. Experts anticipate that the cybercriminals will likely establish new infrastructure in the coming weeks and months.

However, this action sets a precedent for future collaborations between tech companies and government agencies in combating state-sponsored cyber threats. It also serves as a warning to other malicious actors and demonstrates the commitment of both the public and private sectors to protecting sensitive information and maintaining the integrity of democratic processes.

As cyber threats continue to evolve, operations like this highlight the ongoing need for vigilance, cooperation, and innovation in the field of cybersecurity. The success of this joint effort between Microsoft and the DOJ may pave the way for similar actions against other state-sponsored hacking groups in the future.