{ "id": "3026a10b-56ae-4ac9-906c-b425ec977c05", "created_at": "2026-04-06T00:22:27.279294Z", "updated_at": "2026-04-10T03:35:41.640672Z", "deleted_at": null, "sha1_hash": "df7abc6dfd1cd452ea11b696dde3162f2873217a", "title": "Protecting Democratic Institutions from Cyber Threats", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 194562, "plain_text": "Protecting Democratic Institutions from Cyber Threats\r\nBy Steven Masada\r\nPublished: 2024-10-03 · Archived: 2026-04-05 16:27:21 UTC\r\nMicrosoft’s Digital Crimes Unit (DCU) is disrupting the technical infrastructure used by a persistent Russian\r\nnation-state actor Microsoft Threat Intelligence tracks as Star Blizzard. Today, the United States District Court for\r\nthe District of Columbia unsealed a civil action brought by Microsoft’s DCU, including its order authorizing\r\nMicrosoft to seize 66 unique domains used by Star Blizzard in cyberattacks targeting Microsoft customers\r\nglobally, including throughout the United States. Between January 2023 and August 2024, Microsoft observed\r\nStar Blizzard target over 30 civil society organizations – journalists, think tanks, and non-governmental\r\norganizations (NGOs) core to ensuring democracy can thrive – by deploying spear-phishing campaigns to\r\nexfiltrate sensitive information and interfere in their activities.  \r\nWe are filing this lawsuit with the NGO Information Sharing and Analysis Center (NGO-ISAC) and have\r\ncoordinated with the Department of Justice (DOJ), which simultaneously seized 41 additional domains attributed\r\nto the same actor. Together, we have seized more than 100 websites. Rebuilding infrastructure takes time, absorbs\r\nresources, and costs money. By collaborating with DOJ, we have been able to expand the scope of disruption and\r\nseize more infrastructure, enabling us to deliver greater impact against Star Blizzard. \r\nWhile we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their\r\noperations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern.\r\nIt will also enable us to quickly disrupt any new infrastructure we identify through an existing court proceeding.\r\nFurthermore, through this civil action and discovery, Microsoft’s DCU and Microsoft Threat Intelligence will\r\ngather additional valuable intelligence about this actor and the scope of its activities, which we can use to improve\r\nthe security of our products, share with cross-sector partners to aid them in their own investigations and identify\r\nand assist victims with remediation efforts.  \r\nStar Blizzard’s operations are relentless, exploiting the trust, privacy, and familiarity of everyday digital\r\ninteractions. \r\nStar Blizzard (also known as COLDRIVER and Callisto Group) has actively engaged in various forms of\r\ncyberattacks and activity since at least 2017.  Since 2022, Star Blizzard has improved their detection evasion\r\ncapabilities while remaining focused on email credential theft against the same targets. Our actions today will\r\nimpact those capabilities. Most recently, Star Blizzard targets NGOs and think tanks that support government\r\nemployees and military and intelligence officials, especially those providing support to Ukraine and in NATO\r\ncountries such as the United States and the United Kingdom, as well as in the Baltics, Nordics, and Eastern\r\nEurope. They have been particularly aggressive in targeting former intelligence officials, Russian affairs experts,\r\nand Russian citizens residing in the U.S. In 2023, the British government and its allies attributed Star Blizzard to\r\nthe Russian Federal Security Service (FSB) and exposed the actor’s attempted interference in UK politics through\r\nthe targeting of elected officials, think tanks, journalists and the public sector.  \r\nhttps://blogs.microsoft.com/on-the-issues/2024/10/03/protecting-democratic-institutions-from-cyber-threats/\r\nPage 1 of 3\n\nis persistent. They meticulously study their targets and pose as trusted contacts to achieve their goals. Since\r\nJanuary 2023, Microsoft has identified 82 customers targeted by this group, at a rate of approximately one attack\r\nper week. This frequency underscores the group’s diligence in identifying high-value targets, crafting personalized\r\nphishing emails, and developing the necessary infrastructure for credential theft. Their victims, often unaware of\r\nthe malicious intent, unknowingly engage with these messages leading to the compromise of their credentials.\r\nThese attacks strain resources, hamper operations and stoke fear in victims — all hindering democratic\r\nparticipation.  \r\nExamples of phishing emails from Star Blizzard.  \r\nStar Blizzard’s ability to adapt and obfuscate its identity presents a continuing challenge for cybersecurity\r\nprofessionals. Once their active infrastructure is exposed, they swiftly transition to new domains to continue their\r\noperations. For example, on August 14, 2024, The Citizen Lab of the University of Toronto’s Munk School and\r\ndigital rights group Access Now, itself a non-profit member of NGO-ISAC, which filed a declaration in support of\r\nthis civil action, published a comprehensive research paper highlighting the persistent threat posed by this actor.\r\nSince publishing this report, Access Now and The Citizen Lab have been investigating several additional cases\r\nand believe at least one of these cases is associated with Star Blizzard. This shows that Star Blizzard remains\r\nactive and is not deterred despite governments, companies, and civil society exposing their malicious activities.  \r\nStar Blizzard’s activities underscore the importance of upholding international norms to govern responsible\r\nstate behavior online.  \r\nToday’s action is an example of the impact we can have against cybercrime when we work together. We applaud\r\nDOJ for their collaboration in this and other significant matters and encourage governments globally to engage\r\nand embrace industry partners, such as Microsoft, in a shared mission of combatting increasingly sophisticated\r\nthreats operating in cyberspace. Microsoft’s DCU will continue our efforts to proactively disrupt cybercriminal\r\ninfrastructure and collaborate with others across the private sector and with civil society, government agencies and\r\nlaw enforcement to fight back against those who seek to cause harm. DCU likewise will continue to innovate and\r\ndevelop new and creative ways to detect, disrupt, and deter the techniques and tactics of sophisticated\r\ncybercriminals to protect individuals online.   \r\nhttps://blogs.microsoft.com/on-the-issues/2024/10/03/protecting-democratic-institutions-from-cyber-threats/\r\nPage 2 of 3\n\nAs a best practice, we encourage all civil society groups to harden their cybersecurity protections, use strong\r\nmulti-factor authentication like passkeys on both personal and professional accounts, and enroll in Microsoft’s\r\nAccountGuard program for an additional layer of monitoring and protection from nation-state cyber-attacks. \r\nHowever, these efforts and commitments must be coupled with an application of international norms to limit\r\ncyberattacks associated with nation–states that purposely target the parts of society that enable democracy to\r\nthrive. Star Blizzard’s observed activity violates the UN Framework for Responsible State Behavior Online, a\r\nclear set of norms agreed upon by all UN member states to prevent their territories from being used for malicious\r\nonline activity. By taking action against Star Blizzard, Microsoft and its partners are reinforcing the importance of\r\nthese internationally agreed norms and demonstrating a commitment to their enforcement, aiming to protect civil\r\nsociety and uphold the rule of law in cyberspace. \r\nTags: cyberattacks, cybercrime, cybersecurity, Microsoft AccountGuard, Microsoft Threat Intelligence Center,\r\nphishing, Russia, The Digital Crimes Unit\r\nSource: https://blogs.microsoft.com/on-the-issues/2024/10/03/protecting-democratic-institutions-from-cyber-threats/\r\nhttps://blogs.microsoft.com/on-the-issues/2024/10/03/protecting-democratic-institutions-from-cyber-threats/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://blogs.microsoft.com/on-the-issues/2024/10/03/protecting-democratic-institutions-from-cyber-threats/" ], "report_names": [ "protecting-democratic-institutions-from-cyber-threats" ], "threat_actors": [ { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434947, "ts_updated_at": 1775792141, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df7abc6dfd1cd452ea11b696dde3162f2873217a.pdf", "text": "https://archive.orkl.eu/df7abc6dfd1cd452ea11b696dde3162f2873217a.txt", "img": "https://archive.orkl.eu/df7abc6dfd1cd452ea11b696dde3162f2873217a.jpg" } }