DOJ, Microsoft seize more than 100 domains used by the FSB
Microsoft and the U.S. Department of Justice on Thursday announced the seizure of more than 100 domains used by a Russian-backed hacking unit to target more than two dozen civil society organizations between January 2023 and August 2024.
Microsoft’s Digital Crimes Unit filed a lawsuit with the NGO Information Sharing and Analysis Center (NGO-ISAC) to seize 66 unique domains used by a hacking group Microsoft tracks as Star Blizzard, but which the U.S., British, and other western governments have attributed to the Russian Federal Security Service, more commonly known as the FSB.
The Department of Justice simultaneously seized 41 additional domains used by the same group, which it described as an operational unit within the FSB’s Center 18. The U.S. government indicted two Russian nationals working with the group in December 2023, levied sanctions against them and offered a $10 million reward for information on their location.
“Rebuilding infrastructure takes time, absorbs resources, and costs money,” Steven Masada, assistant general counsel of Microsoft’s Digital Crimes Unit, said in a statement. “By collaborating with DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard.”
The combined action won’t stop the group, Masada added, but “today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern. It will also enable us to quickly disrupt any new infrastructure we identify through an existing court proceeding.”
The hacking unit used the domains — which were mostly created in early 2024 or late 2023 — to target former U.S. intelligence officials, current and former Defense and State Department employees, U.S. military defense contractors and staff at the Department of Energy, federal officials alleged in a partially redacted affidavit unsealed Thursday.
As part of the operation, the hackers accessed information related to the identity of U.S. employees, defense, foreign affairs, and security policies, as well as nuclear energy-related technology, research and development, according to the filing.
“The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials,” Deputy Attorney General Lisa Monaco said in a statement.
Star Blizzard has been historically known as a unit focused on email credential theft targeting civil society targets, including journalists, think tanks, and non-governmental organizations, according to Microsoft. Google’s Threat Analysis Group said in a January 2024 blog post that the unit has evolved out of pure espionage and into a group that deploys custom malware to accomplish its goals.
The Microsoft and DOJ actions come less than two months after a joint report from the Citizen Lab at the University of Toronto and Access Now, a human rights nonprofit, detailed attacks by the group, and a related but separate hacking effort.
Natalia Krapiva, senior tech-legal counsel for Access Now, told CyberScoop that what Microsoft is doing is a “great initiative” given that it can sometimes be hard to get major tech companies or governments to take actions against this kind of activity.
Krapiva added that these kinds of actions can also help those targeted feel more empowered.
“Oftentimes victims feel like they are not in control,” she said. Their devices are violated, information is taken from them, and they “have no say, no power over it anymore.” They can’t control whether the information will be “used to attack them physically or digitally to smear their reputation, or to go after their journalistic sources or partners,” and these large-scale disruptions “give the victims opportunity to be a part of this case that will hopefully have very practical and real implications.”
John Scott-Railton, senior researcher at the Citizen Lab at the University of Toronto, said he welcomed the action and hopes that other platforms follow Microsoft’s example, and that other governments follow the DOJ’s approach as well.
“It’s already dangerous enough to be a Russian journalist or a Belarusian dissident living in the diaspora and unfortunately, thanks to FSB operations like Star Blizzard, it turns out that being outspoken about somebody like [Russian President Vladimir] Putin is a ticket to getting hit with an onslaught of highly personalized, difficult-to-detect digital attacks,” Scott-Railton said.
Civil society members, especially those in the diaspora, rely on digital communication and collaboration.
“We shouldn’t expect people to be constantly distrustful of everything that lands in their inbox,” he said. “They wouldn’t be able to do their jobs. Yet a single slip-up is enough to lead to dramatic consequences that could impact people’s safety — and their liberty in this case. And that’s why it’s so important that platforms and bigger players take actions, including imposing costs like this.”