The Justice Department has revealed the unsealing of a warrant authorizing the seizure of 41 internet domains used by Russian intelligence agents and their proxies for computer fraud and abuse in the United States. This action is part of a broader effort outlined in the National Cybersecurity Strategy, aiming to disrupt malicious cyber activities through public-private collaboration. The department's move was made alongside Microsoft's civil action to restrain 66 internet domains used by similar actors.
Deputy Attorney General Lisa Monaco stated, “Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action – using all tools to disrupt and deter malicious, state-sponsored cyber actors.” She highlighted that the Russian government executed this scheme to steal sensitive information from Americans by tricking victims into revealing account credentials. Monaco emphasized ongoing efforts with private sector partners to expose and deprive Russian actors and cybercriminals of their illicit tools.
Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division commented on these efforts: “This disruption exemplifies our ongoing efforts to expel Russian intelligence agents from the online infrastructure they have used to target individuals, businesses, and governments around the world.” He acknowledged close cooperation with private-sector partners like Microsoft in confronting future cyber-enabled threats from Russia and other adversaries.
U.S. Attorney Ismail J. Ramsey for the Northern District of California noted, “This seizure is part of a coordinated response with our private sector partners to dismantle the infrastructure that cyber espionage actors use to attack U.S. and international targets.” He expressed gratitude towards private-sector partners for their role in analyzing, publicizing, and combating these illicit actions across various regions.
According to an affidavit supporting the government's seizure warrant, hackers linked to or acting as criminal proxies for the "Callisto Group," associated with Center 18 of Russia's Federal Security Service (FSB), utilized these domains for unauthorized access campaigns targeting U.S. government entities among others. These operations were part of an advanced spear-phishing campaign aimed at extracting valuable information from computers and email accounts.
In tandem with these developments, Microsoft announced a civil action against 66 internet domains also employed by Callisto Group actors. Microsoft's Threat Intelligence identifies this group as "Star Blizzard" (formerly SEABORGIUM or COLDRIVER). Between January 2023 and August 2024, Star Blizzard targeted over 30 civil society entities such as journalists, think tanks, and NGOs through spear-phishing campaigns designed to extract sensitive information.
The affidavit further alleges that Callisto Group actors targeted U.S.-based companies along with former employees of various U.S. departments including Defense and State employees, military defense contractors, as well as staff at the Department of Energy. In December 2023 charges were announced against two Callisto-affiliated individuals: Ruslan Aleksandrovich Peretyatko (an officer in FSB Center 18) and Andrey Stanislavovich Korinets; both charged with hacking into networks across multiple countries on behalf of Russia.
The FBI San Francisco Field Office is leading investigations into this case while prosecution falls under both U.S Attorney’s Office for Northern District California along with Justice Department’s National Security Cyber Section within its National Security Division.
Currently docketed under Application by United States Seizure Warrant For Investigation No.:4-24-71375(N.D.Cal.Sept16th),the affidavit remains merely allegations pending proof beyond reasonable doubt within legal proceedings affirming defendants' innocence until proven otherwise