Microsoft and the U.S. Department of Justice have dismantled part of the digital infrastructure used by a Russian hacking group known as Star Blizzard. The collective, which has been operating since at least 2017, focused on attacks against journalists, NGOs, and think tanks.
An operation led to the seizure of over 100 domains associated with their cyberattacks. The domains had been critical in carrying out phishing campaigns designed to steal login credentials from their targets.
Star Blizzard recent activity concentrated on undermining democracy by hacking into organizations that protect democratic institutions. Amongst the attacks were targeting individuals like former intelligence officials, Russia experts, and even Russian citizens living in the U.S.
According to Microsoft’s security team, the group’s campaigns from January 2023 to August 2024 targeted more than 30 organizations. These operations specifically aimed at stealing credentials to disrupt their work.
Star Blizzard’s Phishing Methods
Star Blizzard has developed a strong expertise in creating sophisticated phishing schemes. The group often disguises themselves as trusted contacts, sending fake emails to trick recipients into providing sensitive information. Using the method allowed them to gather login details from high-value individuals across multiple sectors.
According to Microsoft, Star Blizzard’s attacks averaged about one per week, with most efforts focusing on U.S.-based NGOs and organizations involved in supporting Ukraine and NATO.
Phishing remains one of the most effective tools used by Star Blizzard. These targeted messages mimic legitimate requests, catching the victims off guard. Their success in compromising systems led to serious breaches in civil society operations, forcing many to strengthen their cybersecurity measures.
Star Blizzard has continuously refined their detection evasion capabilities while remaining focused on email credential theft against the same targets. This blog provides updated technical information about Star Blizzard TTPs: https://t.co/7qHB2eB7Wc
— Microsoft Threat Intelligence (@MsftSecIntel) October 3, 2024
Microsoft and DOJ Seize Critical Infrastructure
In response to the increasing frequency of these attacks, Microsoft’s Digital Crimes Unit (DCU) took legal action in the District Court for the District of Columbia. The court granted an order to seize 66 domains, while the DOJ captured an additional 41. All domains had been essential in Star Blizzard’s phishing campaigns, and taking them down severely disrupted the group’s ability to continue their operations.
While the action dealt a serious blow to Star Blizzard, both Microsoft and the DOJ noted that the group is likely to regroup and rebuild its infrastructure. However, Microsoft is confident that future disruptions can be expedited through ongoing legal processes.
Global Reach and Collaboration
Star Blizzard’s reach extends beyond the United States. The group has been active across Europe, particularly in countries like the U.K., Ukraine, and the Baltics. In 2023, the British government linked the group’s activities to Russia’s Federal Security Service (FSB), underscoring the geopolitical implications of their cyberattacks.
The group’s methods have remained largely unchanged, with phishing remaining their primary tactic. However, their ability to quickly adapt and move to new domains after one is compromised has allowed them to continue their operations even in the face of increased scrutiny from governments and cybersecurity firms.
A report published by The Citizen Lab at the University of Toronto in August 2024 also highlighted the group’s tactics. The research detailed how Star Blizzard was able to maintain its presence even after major setbacks, including the loss of key domains. The report further stressed that the group remains a serious threat to global cybersecurity.
Microsoft’s Response to Nation-State Cyber Threats
Microsoft’s collaboration with the DOJ highlights the importance of public-private partnerships in combating cybercrime. Through this effort, they were able to take down a substantial part of Star Blizzard’s infrastructure, forcing the group to rethink its operations. The tech company has also been actively working with other NGOs and civil society groups to help mitigate the damage caused by such attacks.
Microsoft’s DCU has encouraged organizations to strengthen their defenses against cyber threats by implementing multi-factor authentication and other security protocols. Their AccountGuard program, designed specifically for at-risk organizations, provides enhanced monitoring and protection against these nation-state actors.
Last Updated on November 7, 2024 2:39 pm CET