Microsoft and the Justice Department have seized over 100 domains used by the Russian ColdRiver hacking group to target United States government employees and nonprofit organizations from Russia and worldwide in spear-phishing attacks.
In December, the United Kingdom and its Five Eyes allies linked this threat group to Russia’s Federal Security Service (FSB), the country’s internal security and counterintelligence service.
According to a partially unsealed affidavit, they attacked a wide range of targets, including United States-based companies and former and current employees of the United States Intelligence Community, Department of Defense, and Department of State, as well as staff at the Department of Energy and U.S. military defense contractors.
“Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations – journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive – by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities,” said Steven Masada, Assistant General Counsel at Microsoft’s Digital Crimes Unit.
Together, Microsoft and the DOJ seized 107 domains—66 by Microsoft and 41 by the DOJ—dismantling the attack infrastructure used by ColdRiver hackers in ongoing attacks.
“The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials,” stated Deputy Attorney General Lisa Monaco.
“This seizure is part of a coordinated response with our private sector partners to dismantle the infrastructure that cyber espionage actors use to attack U.S. and international targets,” U.S. Attorney Ismail J. Ramsey added.
Active since at least 2017
Also tracked as Callisto Group, Seaborgium, and Star Blizzard, the ColdRiver threat group has used open-source intelligence (OSINT) and social engineering skills to research and lure targets since at least 2017.
Five Eyes cyber agencies warned in December 2023 of ColdRiver’s spear-phishing attacks against academia, defense, governmental organizations, NGOs, think tanks, and politicians. In 2022, after Russia invaded Ukraine, these attacks expanded to defense-industrial targets and U.S. Department of Energy facilities.
Microsoft previously thwarted ColdRiver attacks against several European NATO nations by disabling the Microsoft accounts they used to harvest emails and monitor their victims’ activity.
In December, the U.S. State Department sanctioned two ColdRiver operators (one of them an FSB officer) who the DOJ also indicted for their involvement in a global hacking campaign coordinated by the Russian government.
The State Department now offers up to $10 million in rewards for information that could help locate or identify other ColdRiver members.