Microsoft and the Justice Department have seized over 100 domains used by the Russian ColdRiver hacking group to target United States government employees and nonprofit organizations from Russia and worldwide in spear-phishing attacks. "Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations – journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive – by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities," said Steven Masada, Assistant General Counsel at Microsoft's Digital Crimes Unit. According to a partially unsealed affidavit, they attacked a wide range of potential victims, including United States-based companies and former and current employees of the United States Intelligence Community, Department of Defense, and Department of State, as well as staff at the Department of Energy and U.S. military defense contractors. Five Eyes cyber agencies warned in December 2023 of ColdRiver's spear-phishing attacks against academia, defense, governmental organizations, NGOs, think tanks, and politicians. In December, the U.S. State Department sanctioned two ColdRiver operators (one of them an FSB officer) who the DOJ also indicted for their involvement in a global hacking campaign coordinated by the Russian government. "The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials," stated Deputy Attorney General Lisa Monaco. Also tracked as Callisto Group, Seaborgium, and Star Blizzard, the ColdRiver threat group has used open-source intelligence (OSINT) and social engineering skills to research and lure targets since at least 2017. In December, the United Kingdom and its Five Eyes allies linked this threat group to Russia's Federal Security Service (FSB), the country's internal security and counterintelligence service. Microsoft previously thwarted ColdRiver attacks against several European NATO nations by disabling the Microsoft accounts they used to harvest emails and monitor their victims' activity.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 03 Oct 2024 18:00:15 +0000