5Oct
Microsoft and the US Take Control of 107 Russian Domains in a Large-Scale Cyberfraud Raid

On Thursday, Microsoft and the US Department of Justice (DoJ) announced the seizure of 107 domains from state-sponsored threat actors connected to Russia, which were being used to enable computer fraud and abuse within the nation.

“The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials,” stated Lisa Monaco, Deputy Attorney General.

Threat actor COLDRIVER, also known as Blue Callisto, BlueCharlie (or TAG-53), Calisto (sometimes spelled Callisto), Dancing Salome, Gossamer Bear, Iron Frontier, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, has been linked to the activity.

The group has been operational since at least 2012 and is considered to be part of Center 18 of the Russian Federal Security Service (FSB).

Two group members, Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, were sanctioned by the US and UK governments in December 2023 for their spear-phishing and malicious credential harvesting activities. The same two people were then subject to sanctions by the European Council in June 2024.

According to the Department of Justice, threat actors were using the recently taken over 41 domains to “commit violations of unauthorized access to a computer to obtain information from a department or agency of the United States, unauthorized access to a computer to obtain information from a protected computer, and causing damage to a protected computer.”

The domains are purportedly part of a spear-phishing campaign that targets the email accounts of the federal government of the United States and other victims in an attempt to obtain credentials and important information.

In addition, Microsoft announced that it had filed a corresponding civil action to take control of 66 more internet domains that COLDRIVER had been using to target more than 30 civil society organizations and entities between January 2023 and August 2024.

This includes think tanks and NGOs that assist government workers, military personnel, and intelligence officials, especially those who aid Ukraine and other NATO nations like the U.K. and the U.S. Access Now and the Citizen Lab previously documented COLDRIVER’s targeting of NGOs in August 2024.