Justice Department Disrupts Russian Intelligence Spear-Phishing Efforts

The Justice Department announced today the unsealing of a warrant authorizing the seizure of 41 internet domains used by Russian intelligence agents and their proxies to commit computer fraud and abuse in the United States. As an example of the Department's commitment to public-private operational collaboration to disrupt such adversaries' malicious cyber activities, as set forth in the National Cybersecurity Strategy, the Department acted concurrently with a Microsoft civil action to restrain 66 internet domains used by the same actors.

"Today's seizure of 41 internet domains reflects the Justice Department's cyber strategy in action - using all tools to disrupt and deter malicious, state-sponsored cyber actors," said Deputy Attorney General Lisa Monaco. "The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials. With the continued support of our private sector partners, we will be relentless in exposing Russian actors and cybercriminals and depriving them of the tools of their illicit trade."

"This disruption exemplifies our ongoing efforts to expel Russian intelligence agents from the online infrastructure they have used to target individuals, businesses, and governments around the world," said Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division. "Working closely with private-sector partners such as Microsoft, the National Security Division uses the full reach of our authorities to confront the cyber-enabled threats of tomorrow from Russia and other adversaries."

"This seizure is part of a coordinated response with our private sector partners to dismantle the infrastructure that cyber espionage actors use to attack U.S. and international targets," said U.S. Attorney Ismail J. Ramsey for the Northern District of California. "We thank all of our private-sector partners for their diligence in analyzing, publicizing, and combating the threat posed by these illicit state-coordinated actions in the Northern District of California, across the United States, and around the world."

According to the partially unsealed affidavit filed in support of the government's seizure warrant, the seized domains were used by hackers belonging to, or criminal proxies working for, the "Callisto Group," an operational unit within Center 18 of the Russian Federal Security Service (the FSB), to commit violations of unauthorized access to a computer to obtain information from a department or agency of the United States, unauthorized access to a computer to obtain information from a protected computer, and causing damage to a protected computer. Callisto Group hackers used the seized domains in an ongoing and sophisticated spear-phishing campaign with the goal of gaining unauthorized access to, and steal valuable information from, the computers and email accounts of U.S. government and other victims.

In conjunction, Microsoft announced the filing of a civil action to seize 66 internet domains also used by Callisto Group actors. Microsoft Threat Intelligence tracks this group as "Star Blizzard" (formerly SEABORGIUM, also known as COLDRIVER). Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society entities and organizations - journalists, think tanks, and nongovernmental organizations (NGOs) - by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities.

The government's affidavit alleges the Callisto Group actors targeted, among others, U.S.-based companies, former employees of the U.S. Intelligence Community, former and current Department of Defense and Department of State employees, U.S. military defense contractors, and staff at the Department of Energy. In December 2023, the Department announced charges against two Callisto-affiliated actors, Ruslan Aleksandrovich Peretyatko (Перетятько Руслан Александрович), an officer in FSB Center 18, and Andrey Stanislavovich Korinets (Коринец Андрей Станиславович). The indictment charged the defendants with a campaign to hack into computer networks in the United States, the United Kingdom, other North Atlantic Treaty Organization member countries, and Ukraine, all on behalf of the Russian government.

The FBI San Francisco Field Office is investigating the case.

The U.S. Attorney's Office for the Northern District of California and the Justice Department's National Security Cyber Section of the National Security Division are prosecuting the case.

The case is docketed at Application by the United States for a Seizure Warrant for 41 Domain Names For Investigation of 18 U.S.C. § 1956(a)(2)(A) and Other Offenses, No. 4-24-71375 (N.D. Cal. Sept. 16, 2024).

An affidavit in support of a seizure warrant and an indictment are merely allegations. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Public link

Please use the above public link if you want to share this noodl on another website.