On October 3, the United States District Court for the District of Columbia unsealed a civil case initiated by Microsoft’s Digital Crimes Unit (DCU), which includes a court order permitting the seizure of 66 unique domains linked to the Russian state-sponsored threat actor known by various names, including Star Blizzard, Coldriver, and Callisto.
Star Blizzard is accused of utilizing these domains to conduct surveillance on Microsoft customers worldwide through an extensive campaign of targeted spear phishing. The victims encompass a wide range of individuals and organizations involved in civil society, including journalists, media organizations, non-governmental organizations (NGOs), and think tanks.
This lawsuit has been filed in partnership with the NGO Information Sharing and Analysis Center (NGOISAC) and in coordination with the U.S. Department of Justice (DOJ), which has already taken control of an additional 41 domains attributed to Star Blizzard. In total, over 100 malicious websites will be taken down, significantly disrupting Star Blizzard’s operations.
“While we anticipate that Star Blizzard will continue to establish new infrastructure, today’s action affects their operations at a crucial moment when the threat of foreign interference in U.S. democratic processes is particularly pressing,” stated Steven Masada, assistant general counsel for Microsoft DCU. “This will also allow us to efficiently disrupt any new infrastructure we identify via ongoing court proceedings. Additionally, through this civil action and the discovery process, Microsoft’s DCU and Threat Intelligence teams aim to gather important intelligence about this actor and its scope of activities, which will enhance our product security, help our cross-sector partners in their investigations, and enable us to identify and assist victims in their remediation efforts.”
Microsoft describes Star Blizzard’s activities as “relentless,” with its operations reportedly dating back to 2017. However, in the last two years, the group has significantly augmented its capabilities, targeting not only U.S. entities but also those in the NATO alliance.
Last year, the UK government officially connected Star Blizzard to Russia’s FSB and imposed sanctions on two individuals—Andrey Stanislavovich Korinets and Ruslan Aleksandrovich Peretyatko—linked to operations against UK targets, including hacking and leaking documents prior to the 2019 general election. Notably, investigative reporting by Computer Weekly revealed that the group targeted a former head of MI6 and leaked thousands of emails from a network of hard Brexit advocates, reportedly as an act of retribution for former Prime Minister Boris Johnson backing Ukraine.
Despite previous setbacks and imposed sanctions, Star Blizzard’s operations have demonstrated remarkable resilience. Masada noted that the operatives meticulously research their targets, impersonating trusted contacts to establish trust and accomplish their objectives. It is estimated that 82 of Microsoft’s customers have been targeted since January 2023, with roughly one attack occurring each week.
“This frequency highlights the group’s commitment to identifying high-value targets, crafting personalized phishing emails, and developing robust infrastructure for stealing credentials. Victims often remain oblivious to the malicious intent behind these communications, leading to compromised credentials, resource strain, operational disruption, and heightened anxiety among victims, all of which obstruct democratic engagement,” Masada explained.
An additional challenge in countering this threat has been Star Blizzard’s ability to rapidly adapt its operations and conceal its identity. The group is known to quickly shift to new domains when its existing infrastructure is exposed, a tactic observed once again following an August 2024 report by The Citizen Lab at the University of Toronto and the digital rights organization Access Now.
Masada emphasized the importance of collaborative efforts against cybercrime: “Today’s action exemplifies the impact we can achieve when we unite against cyber threats. We commend the DOJ for their collaboration on this and other essential matters, and we urge governments worldwide to partner with industry players like Microsoft in the shared mission of combating sophisticated cyber threats.”
Microsoft’s DCU plans to continue its proactive initiatives to disrupt cybercriminal infrastructure while collaborating with various stakeholders, including the private sector, civil society, government agencies, and law enforcement.
As a preventative measure, Microsoft recommends that all civil society organizations strengthen their security protocols by implementing multifactor authentication (MFA) on both personal and professional email accounts and enrolling in the Microsoft AccountGuard program, which offers tailored protection.
However, Microsoft asserts that these efforts must be accompanied by the enforcement of international norms to curtail nation-state-backed cyberattacks, particularly those targeting democratic processes. The company notes that Star Blizzard, and by extension Russia, are clearly violating the UN Framework for Responsible State Behaviour Online.