(Bloomberg) -- The US government and Microsoft Corp. have seized 107 websites used by Russian intelligence agents and their proxies in the US, according to the Department of Justice and the tech giant.
The Justice Department seized 41 internet domains used to commit computer fraud and abuse in the US, while Microsoft seized another 66 under a civil action, they said. The domains were used by a group that Microsoft calls Star Blizzard, which the US and allies say works for the Russian Federal Security Service (FSB) and has been active since at least 2016.
“The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials,” US Deputy Attorney General Lisa Monaco said in a statement.
Star Blizzard attacked Microsoft customers using email campaigns containing phishing links to extract sensitive information and interfere in their activities, according to a blog post from Steven Masada, assistant general counsel of Microsoft’s Digital Crimes Unit. Microsoft identified more than 30 targets including journalists, think tanks and non-governmental organizations, he said.
US-based companies, former employees of the US intelligence community, personnel at US defense contractors and officials at the departments of Defense, State and Energy also were targeted, according to the government’s affidavit, dated September 13.
The US in December indicted two Russian nationals, alleging they were members of the group and had stolen information used in foreign malign influence campaigns designed to influence the UK’s 2019 elections on behalf of the Russian government.
The FSB-affiliated group remains active, but Masada said that the takedowns would slow them down by forcing attackers to dedicate time and resources to updating their techniques. Microsoft’s Digital Crimes Unit has previously filed 28 lawsuits to enable similar takedowns, according to the company.
Masada said the group is meticulous in the way it studies high-value targets and develops personalized online relationships with them to gain their trust before sending infected links intended to steal the victim’s passwords and other information. One successful phishing email from 2022, published in redacted form by Microsoft, included an attachment that the unidentified sender encouraged recipients to open, describing it as guidance for improving cybersecurity.
In the past, the group has been linked to a website that published private emails from a former UK spy chief and allegedly also targeted a former US ambassador to Ukraine. Other threat intelligence firms also refer to the same hacking group by other names, such as Cold River.
Natalia Krapiva, senior technology legal counsel at Access Now, a group that supports human rights defenders and helped uncover the campaign, said the takedowns were made possible in part by victims who came forward to share their data.
--With assistance from Ryan Gallagher.
©2024 Bloomberg L.P.
