U.S. authorities have seized dozens of internet domains used by Russian intelligence agents and their proxies to steal valuable information from U.S. government computers and email accounts, the Department of Justice revealed Thursday.
In a warrant unsealed this week, the department accused the “Callisto Group,” a unit under Russia’s FSB security service, of orchestrating an “ongoing and sophisticated spear phishing campaign” aimed at gaining unauthorized access to the computers and email accounts of victims.
The warrant alleged that Russian-directed cybercriminals pilfered “valuable information and sensitive United States government intelligence.”
Targets included former U.S. intelligence employees, former and current Department of Defense personnel, Department of State employees, Department of Energy staff, U.S. military contractors and U.S.-based companies.
The Justice Department seized 41 internet domains and coordinated the takedowns with tech giant Microsoft, which seized an additional 66 unique domains operated by the same group.
Between January 2023 and August 2024, Microsoft observed the nation state cybercriminals target “over 30 civil society organizations — journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive — by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities,” according to a blog post published by Microsoft’s Digital Crimes Unit on Thursday.
According to Microsoft, the Callisto Group — which the company refers to by the alias “Star Blizzard” — has been actively launching cyberattacks since at least 2017. The group has recently targeted nonprofits, think tanks and officials who have “provid[ed] support to Ukraine and in NATO countries such as the United States and the United Kingdom, as well as in the Baltics, Nordics, and Eastern Europe.”
“They have been particularly aggressive in targeting former intelligence officials, Russian affairs experts, and Russian citizens residing in the U.S.,” Microsoft’s Digital Crimes Unit wrote.
The Justice Department said the perpetrators sought to “improve their criminal scheme” by making phishing emails appear more authentic and mining breached email accounts for more information. They reused the stolen credentials of their targets to gain access to victims’ other personal and corporate accounts, as well as government portals.
“The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials,” Deputy Attorney General Lisa Monaco said in a statement. “With the continued support of our private sector partners, we will be relentless in exposing Russian actors and cybercriminals and depriving them of the tools of their illicit trade.”
Last December, the U.S. charged Ruslan Aleksandrovich Peretyatro, a member of the Callisto Group, with conspiracy to commit computer fraud, saying he was engaged in these spear-phishing attacks.
In its blog post on Thursday, Microsoft indicated that the domain seizures will enable its investigators to gain “valuable intelligence” about the Russian state actors, “which we can use to improve the security of our products, share with cross-sector partners to aid them in their own investigations and identify and assist victims with remediation efforts.” But the tech firm noted that it expects the cybercriminals to establish new infrastructure in the coming weeks and months.