Microsoft and the U.S. Disrupt Russian Cyber Espionage Infrastructure

The U.S. Department of Justice (DoJ), in collaboration with Microsoft and civil society partners, has taken down over 100 internet domains associated with a Russian intelligence-linked hacking group known as “Callisto Group,” or “Star Blizzard.”

This joint effort marks a significant step in countering sophisticated spear-phishing campaigns that targeted U.S. government entities, civil society groups, journalists, and other organizations over the past two years.

Coordinated seizure of malicious domains

On October 3, 2024, the DoJ announced the unsealing of a warrant that authorized the seizure of 41 internet domains used by Russian intelligence operatives to conduct cyberattacks. These domains, allegedly controlled by the Callisto Group (tracked by Microsoft as “Star Blizzard”), were used in spear-phishing campaigns to steal sensitive information from U.S.-based entities. The warrant aligns with the National Cybersecurity Strategy, emphasizing public-private partnerships to counter state-sponsored cyber threats.

Concurrently, Microsoft launched a civil action to seize an additional 66 domains used by the same group. As Assistant Attorney General Matthew G. Olsen noted, the coordinated effort with private sector entities like Microsoft exemplifies a strategic response to emerging cyber threats.

Overview of the Star Blizzard group

Star Blizzard is believed to be part of Center 18 of the Russian Federal Security Service (FSB). Since at least 2017, Star Blizzard has actively engaged in cyber espionage, particularly using spear-phishing techniques to trick victims into revealing credentials and gain access to protected systems.

Their targets, identified between January 2023 and August 2024, included over 30 civil society entities such as journalists, think tanks, NGOs, former U.S. Intelligence Community employees, Department of Defense and Department of State staff, military defense contractors, and Department of Energy employees.

In December 2023, the DoJ brought charges against two alleged Callisto-affiliated actors, Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, accusing them of hacking networks in the U.S., the U.K., other NATO countries, and Ukraine on behalf of the Russian government.

Collecting intelligence

In addition to their domain seizure efforts, Microsoft’s Digital Crimes Unit (DCU) observed Star Blizzard‘s extensive spear-phishing campaigns and noted the group’s ability to adapt their tactics over time. Since January 2023, Microsoft reported Star Blizzard's targeting of 82 customers with phishing emails designed to steal email credentials. These emails were specifically crafted to look legitimate, increasing the likelihood of successful credential theft.

Access Now, a digital rights advocacy organization, also played a role in this joint action. It filed legal statements in support of Microsoft's civil lawsuit, offering evidence from Russian civil society victims impacted by the hacking operations. Access Now has been actively supporting individuals and organizations targeted by Star Blizzard through its Digital Security Helpline, and it has warned that the group’s operations have not ceased despite multiple exposures of their activities.

In August 2024, Access Now, in partnership with The Citizen Lab at the University of Toronto, published an investigation that revealed how Star Blizzard’s phishing campaigns had specifically targeted Russian and Belarusian nonprofits, independent media, and international NGOs active in Eastern Europe. Following that report, additional victims reached out for support.