{
	"id": "0c6efb91-68bd-4e52-ae82-dcdeb97a50cc",
	"created_at": "2026-04-06T00:12:52.869819Z",
	"updated_at": "2026-04-10T03:34:43.782596Z",
	"deleted_at": null,
	"sha1_hash": "3dfcd84139c79c91d321fa977ac88e3b726a202f",
	"title": "Disrupting COLDRIVER: U.S. court orders seizure of domains used in Russian cyberattacks - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51508,
	"plain_text": "Disrupting COLDRIVER: U.S. court orders seizure of domains\r\nused in Russian cyberattacks - The Citizen Lab\r\nBy Alyson Bruce\r\nPublished: 2024-10-03 · Archived: 2026-04-05 17:32:48 UTC\r\nOpens in a new window Opens an external site Opens an external site in a new window\r\nMicrosoft’s Digital Crimes Unit takes legal action to dismantle Russia-based threat actor COLDRIVER following\r\na joint investigation by The Citizen Lab and Access Now.\r\nIn August, The Citizen Lab, jointly with Access Now, in collaboration with First Department, Arjuna Team, and\r\nRESIDENT.ngo, published a report that uncovered two distinct spear-phishing campaigns targeting members of\r\nRussian and Western civil society. One of the campaigns was attributed to COLDRIVER (also known as STAR\r\nBLIZZARD, among other names), a threat group attributed to the Russian Federal Security Service (FSB) by\r\nmultiple governments.\r\nToday, the United States District Court for the District of Columbia unsealed a civil action aimed at seizing and\r\ndisrupting the digital infrastructure used by COLDRIVER to target civil society and other actors.\r\n“I welcome this action, and I hope other platforms and governments follow suit. It’s already dangerous enough to\r\nbe a Russian journalist or a Belarusian dissident. Unfortunately, thanks to groups like STAR BLIZZARD, being\r\noutspoken about Putin may be a ticket to getting hit with an onslaught of personalized digital attacks,” says John\r\nScott-Railton, senior researcher at The Citizen Lab and co-author of the report.\r\n“We shouldn’t ask people to be perfectly distrustful of every message in their inbox. They couldn’t be effective at\r\ntheir important jobs. Yet a single account compromise of a journalist or dissident can ripple throughout a whole\r\nnetwork of people, with consequences for their safety and liberty. This is why it is so important to see platforms\r\ntaking actions to impose cost on Russian hacking operations.”\r\nMicrosoft’s Digital Crimes Unit (DCU) filed the lawsuit together with the NGO Information Sharing and Analysis\r\nCenter (NGO-ISAC) and coordinated with the U.S. Department of Justice (DOJ), which simultaneously seized\r\nadditional domains attributed to STAR BLIZZARD.\r\nAccess Now filed a legal statement in support of this civil action, which included statements from Russian civil\r\nsociety victims impacted by this hacking operation. \r\n“Direct action against the ability of the Russian government to carry out these hacking operations is critical. What\r\nwe observed in our investigation, and the follow-on attacks tracked by Access Now, is that these groups aren’t\r\nafraid of being discovered. As long as they can continue to fool people with increasingly sophisticated\r\nimpersonation and personalized attacks, they will. A coordinated disruption of the digital infrastructure used in\r\nthese attacks will have a significant impact, with the goal of forcing them to stop current operations to rebuild,”\r\nsays Rebekah Brown, senior researcher at The Citizen Lab and co-author of the report.\r\nhttps://citizenlab.ca/2024/10/disrupting-coldriver/\r\nPage 1 of 2\n\n“Microsoft DCU and the NGO-ISAC have helped protect individuals who are at risk from these continued\r\nintrusions. As we get closer to critical election cycles, both in the U.S. and globally, they have also helped build a\r\nplaybook for how companies and NGOs can respond when, not if, Russian hacking operations resume.”\r\nRead Access Now’s press release here.\r\nRead Microsoft’s blog post here.\r\nRead the U.S. Department of Justice’s press release here.\r\nIf you believe you have been targeted by COLDRIVER or other threat actors, follow the digital security\r\nrecommendations outlined by The Citizen Lab and Access Now and contact Access Now’s Digital Security\r\nHelpline.\r\nSource: https://citizenlab.ca/2024/10/disrupting-coldriver/\r\nhttps://citizenlab.ca/2024/10/disrupting-coldriver/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://citizenlab.ca/2024/10/disrupting-coldriver/"
	],
	"report_names": [
		"disrupting-coldriver"
	],
	"threat_actors": [
		{
			"id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4",
			"created_at": "2023-01-06T13:46:38.581534Z",
			"updated_at": "2026-04-10T02:00:03.029872Z",
			"deleted_at": null,
			"main_name": "Callisto",
			"aliases": [
				"BlueCharlie",
				"Star Blizzard",
				"TAG-53",
				"Blue Callisto",
				"TA446",
				"IRON FRONTIER",
				"UNC4057",
				"COLDRIVER",
				"SEABORGIUM",
				"GOSSAMER BEAR"
			],
			"source_name": "MISPGALAXY:Callisto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3aedca2f-6f6c-4470-af26-a46097d3eab5",
			"created_at": "2024-11-01T02:00:52.689773Z",
			"updated_at": "2026-04-10T02:00:05.396502Z",
			"deleted_at": null,
			"main_name": "Star Blizzard",
			"aliases": [
				"Star Blizzard",
				"SEABORGIUM",
				"Callisto Group",
				"TA446",
				"COLDRIVER"
			],
			"source_name": "MITRE:Star Blizzard",
			"tools": [
				"Spica"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada",
			"created_at": "2022-10-25T16:07:23.477794Z",
			"updated_at": "2026-04-10T02:00:04.625004Z",
			"deleted_at": null,
			"main_name": "Cold River",
			"aliases": [
				"Blue Callisto",
				"BlueCharlie",
				"Calisto",
				"Cobalt Edgewater",
				"Gossamer Bear",
				"Grey Pro",
				"IRON FRONTIER",
				"Mythic Ursa",
				"Nahr Elbard",
				"Nahr el bared",
				"Seaborgium",
				"Star Blizzard",
				"TA446",
				"TAG-53",
				"UNC4057"
			],
			"source_name": "ETDA:Cold River",
			"tools": [
				"Agent Drable",
				"AgentDrable",
				"DNSpionage",
				"LOSTKEYS",
				"SPICA"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3a057a97-db21-4261-804b-4b071a03c124",
			"created_at": "2024-06-04T02:03:07.953282Z",
			"updated_at": "2026-04-10T02:00:03.813595Z",
			"deleted_at": null,
			"main_name": "IRON FRONTIER",
			"aliases": [
				"Blue Callisto ",
				"BlueCharlie ",
				"CALISTO ",
				"COLDRIVER ",
				"Callisto Group ",
				"GOSSAMER BEAR ",
				"SEABORGIUM ",
				"Star Blizzard ",
				"TA446 "
			],
			"source_name": "Secureworks:IRON FRONTIER",
			"tools": [
				"Evilginx2",
				"Galileo RCS",
				"SPICA"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434372,
	"ts_updated_at": 1775792083,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3dfcd84139c79c91d321fa977ac88e3b726a202f.pdf",
		"text": "https://archive.orkl.eu/3dfcd84139c79c91d321fa977ac88e3b726a202f.txt",
		"img": "https://archive.orkl.eu/3dfcd84139c79c91d321fa977ac88e3b726a202f.jpg"
	}
}