DoJ and Microsoft seized over 100 sites used by Russian hackers for phishing campaigns targeting the U.S. The coordinated effort aims to disrupt state-backed cyber attacks and protect sensitive American data.
The U.S. Department of Justice (DoJ) has revealed that it successfully took down 41 malicious websites allegedly operated by Russian intelligence agents and their collaborators. The seized domains were reportedly being used to conduct malicious cyber activities, including targeting American institutions, in what authorities have called a “sophisticated and ongoing” campaign to exploit sensitive data.
According to the DoJ, the seized domains were being used by a group known as the “Callisto Group,” an operational unit within the Russian Federal Security Service (FSB). The group is accused of orchestrating spear-phishing campaigns—targeted email attacks designed to deceive recipients into revealing login credentials. The aim was to gain unauthorized access to confidential information from government entities and other high-value targets.
This action is part of a bigger effort to fight cybercrime in the U.S. and lines up with Microsoft’s latest announcement about taking control of 66 similar domains managed by the same group.
Deputy Attorney General Lisa Monaco highlighted the importance of the collaborative effort, saying, “Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action—using every tool at our disposal to disrupt and deter state-sponsored cyber actors.”
She emphasised and claimed that the Russian government used these domains to impersonate legitimate entities and lure victims into a trap. With the help of private partners like Microsoft, Monaco stated that the Department of Justice is committed to exposing such actors and stripping them of their illicit capabilities.
Microsoft’s Role in the Joint Effort
Microsoft played a key role in this operation, filing a civil suit to seize 66 domains also linked to the Callisto Group, which Microsoft internally refers to as “Star Blizzard.” The company’s Threat Intelligence unit reported that, between January 2023 and August 2024, Star Blizzard was involved in targeting over 30 civil society organizations, including journalists, think tanks, and NGOs, in an attempt to exfiltrate sensitive information.
“Together, we have seized more than 100 websites. Rebuilding infrastructure takes time, absorbs resources, and costs money. By collaborating with the DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard “While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern.”
Microsoft
The affidavit (PDF) supporting the domain seizures reveals a sophisticated operation targeting numerous individuals and organizations, ranging from former U.S. government employees to defence contractors and Department of Energy staff. These actions, authorities say, were part of an effort to infiltrate key sectors and gather valuable intelligence.
Callisto Group
The Callisto Group, tracked by Microsoft under the alias “Star Blizzard” (previously known as SEABORGIUM or COLDRIVER), has become notorious for its consistent use of spear-phishing tactics.
These attacks often disguise themselves as legitimate communications, tricking victims into providing login information. The group reportedly targeted individuals linked to the U.S. Intelligence Community, as well as contractors working with sensitive U.S. agencies.
Back in December 2023, two individuals associated with the Callisto Group were charged by the DoJ: Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, both linked to FSB Center 18. The indictment accused them of participating in a coordinated hacking campaign against U.S., U.K., NATO member nations, and Ukrainian entities, on behalf of the Russian government.
It is also worth mentioning that in August last year, INTERPOL dismantled the infamous ’16shop’ which served as a Phishing-as-a-Service (PaaS) platform. This was followed by the seizure of another Phishing-as-a-Service platform BulletProftLink in November 2023.
Commenting on this, Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity said, “The takedown serves a few purposes: Disrupting existing operations, their infrastructure, and their operatives. It puts ColdRiver, and others, “on notice” that their activities are being detected and that they aren’t operating with impunity, which has the benefit of sowing internal doubt and confusion within the operation, which will chill their activities for a while.“
“Importantly, the announcement and the amount of signalling the USG is doing around this takedown is intended to send a message, both to foreign adversaries as well as those being protected here – Russia is a real adversary, with real cyber-operations underway,” Casey warned.
This latest seizure goes on to show how authorities are not only responding to cyberattacks but also proactively dismantling the infrastructure behind these attacks. Additionally, the ongoing collaboration between the Justice Department, FBI, Microsoft, and other agencies also shows how the government and private sector together can curb cybercrime faster.
