US, Microsoft Disrupts Russian FSB Hackers
Internet domains used by “Russian intelligence agents and their proxies” for cyberattacks, seized by the United States and Microsoft
The United States and Microsoft has disrupted a spear-phishing campaign being carried out by a unit of (or their criminal proxies) the Russian Federal Security Service (the FSB).
This is according to the US Justice Department (DoJ), which unveiled a “warrant authorising the seizure of 41 internet domains used by Russian intelligence agents and their proxies to commit computer fraud and abuse in the United States.”
Last month the UK’s National Cyber Security Centre (part of GCHQ), and nine international allies had for the first time exposed the tactics and techniques used by Unit 29155 of Russia’s military intelligence, the GRU, to carry out cyber-operations against government and critical infrastructure organisations around the world.
Domain seizures
Unit 29155 (also known as the 161st Specialist Training Centre), had been carrying out attacks since at least 2020, and the group is made up of junior active-duty GRU officers and also relies on non-GRU actors including known cyber-criminals and enablers for its operations.
Now the US has turned its attention to Russia’s FSB (the successor agency of the infamous Soviet-era KGB), and seized 41 internet domains used by Russian intelligence agents and their proxies.
Meanwhile Microsoft has restrained 66 internet domains used by the same actors.
“Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action – using all tools to disrupt and deter malicious, state-sponsored cyber actors,” said Deputy Attorney General Lisa Monaco.
“The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials,” said Monaco. “With the continued support of our private sector partners, we will be relentless in exposing Russian actors and cybercriminals and depriving them of the tools of their illicit trade.”
“This disruption exemplifies our ongoing efforts to expel Russian intelligence agents from the online infrastructure they have used to target individuals, businesses, and governments around the world,” added Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.
“Working closely with private-sector partners such as Microsoft, the National Security Division uses the full reach of our authorities to confront the cyber-enabled threats of tomorrow from Russia and other adversaries,” said Olsen.
FSB’s Callisto Group/Star Blizzard
The US allege the seized domains were used by hackers belonging to, or criminal proxies working for, the “Callisto Group,” an operational unit within Center 18 of the Russian Federal Security Service (the FSB).
The DoJ said these hackers commit violations of “unauthorised access to a computer to obtain information from a department or agency of the United States, unauthorised access to a computer to obtain information from a protected computer, and causing damage to a protected computer.”
Microsoft Threat Intelligence tracks this group as “Star Blizzard” (formerly known as Seaborgium or Coldriver).
The DoJ states that the Callisto Group hackers used the seized domains in an ongoing and sophisticated spear-phishing campaign with the goal of gaining unauthorised access to, and steal valuable information from, the computers and email accounts of the US government and other victims.
Spear-phishing campaigns are usually emails that appeared to come from a trusted source.
In conjunction, Microsoft announced the filing of a civil action to seize 66 internet domains also used by Callisto/Star Blizzard actors.
Redmond pointed out that between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society entities and organisations – journalists, think tanks, and non-governmental organisations (NGOs) – by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities.
The government’s affidavit also alleges that Callisto targeted US-based companies, former employees of the US Intelligence Community, former and current Department of Defense and Department of State employees, US military defense contractors, and staff at the Department of Energy.
UK lawmakers
In December 2023, the DoJ announced charges against two Callisto-affiliated actors, Ruslan Aleksandrovich Peretyatko (Перетятько Руслан Александрович), an officer in FSB Center 18, and Andrey Stanislavovich Korinets (Коринец Андрей Станиславович).
The indictment charged the defendants with a campaign to hack into computer networks in the United States, the United Kingdom, other North Atlantic Treaty Organisation member countries, and Ukraine, all on behalf of the Russian government.
Last year, the NCSC had accused the FSB group (Center 18) of carrying out a “sustained” attack on UK politicians and lawmakers, and the democratic process in the UK.
Researchers at F-Secure in 2017 had identified Callisto for targetting Foreign Office staff with highly targeted email messages designed to trick them into handing over their email credentials.