The Russian hacking group COLDRIVER (also known as Star Blizzard or Callisto Group) has been active in cyberattacks since 2017. Since then, COLDRIVER has enhanced its detection evasion and continued to target email credential theft. Recently, COLDRIVER has focused its efforts on NGOs and think tanks supporting government employees, military officials and intelligence officials. This is especially seen in the case of those supporting Ukraine and NATO countries. 

Microsoft and the United States Department of Justice (DOJ) has announced the disruption of COLDRIVER’s technical infrastructure. This infrastructure was disrupted by Microsoft’s Digital Crimes Unit, leading the the seizure of 66 unique domains. 

Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd, comments, “The takedown serves a few purposes: Disrupting existing operations, their infrastructure and their operatives. It puts COLDRIVER, and others, “on notice” that their activities are being detected and that they aren’t operating with impunity, which has the benefit of sowing internal doubt and confusion within the operation, which will chill their activities for a while. Importantly, the announcement and the amount of signaling the USG is doing around this takedown is definitely intended to send a message, both to foreign adversaries as well as those being protected here — Russia is a real adversary, with real cyber-operations underway.” 

The DOJ simultaneously seized 41 domains, totaling more than 100 websites seized together. Rebuilding this technical infrastructure will require time, resources and money, thus impacting COLDRIVER’s operations. 

Stephen Kowski, Field CTO at SlashNext Email Security+, states, “While the takedown is a significant blow to COLDRIVER’s operations, it's important to remember that sophisticated threat actors are highly adaptable. They may regroup and establish new infrastructure, but this action certainly disrupts their current campaigns and forces them to expend resources rebuilding. The key to long-term security lies in continuous monitoring and rapid detection of new phishing domains and tactics as they emerge. 

“The effectiveness of such takedowns depends on the speed at which defenders can identify and neutralize new threats. Advanced AI-powered tools that can detect and block malicious URLs in real-time, even before they're widely known, are crucial in maintaining a robust defense against evolving phishing tactics. While this action may not make us completely safe, it does buy valuable time for organizations to strengthen their defenses and educate employees about emerging threats.

“Ultimately, the most effective strategy combines proactive measures like these takedowns with cutting-edge technology that can identify and neutralize new phishing attempts as they arise. By leveraging real-time threat intelligence and automated phishing detection systems, organizations can stay ahead of threat actors, regardless of how quickly they attempt to rebuild their infrastructure.”

While COLDRIVER will be impacted by this infrastructure disruption, Microsoft still encourages civil society groups to bolster their cybersecurity postures. 

Guy Rosenthal, Vice President of Product, at DoControl, says, “The Microsoft-DOJ takedown of more than 100 COLDRIVER domains is a significant blow to their operations, but it’s not without potential consequences. While it will disrupt their activities in the short term, we shouldn’t expect this to be the end of COLDRIVER or similar groups. In fact, this action might even paint a bigger target on Microsoft’s back.

“These state-sponsored groups are persistent and well-resourced. They’re likely to regroup and adapt their tactics. More concerning, they might view this as a challenge, potentially leading to increased efforts to compromise Microsoft’s own systems or services in retaliation. We’ve seen this pattern before — for instance, after Microsoft took action against the NICKEL group in 2021, there was a noticeable uptick in attempts by that group to breach Microsoft and its customers’ systems. It’s a reminder that these actions, while necessary, can sometimes provoke an aggressive response.

”That said, these takedowns do have value. They force threat actors to rebuild infrastructure, which takes time and resources. It also sends a message that these activities won’t go unchallenged. Perhaps most importantly, it provides valuable intelligence on their tactics and targets, which can help improve defenses across the board.

“But let’s be realistic — this is an ongoing battle. As long as there’s valuable information to be stolen, there will be actors trying to steal it. What’s crucial is that organizations don’t let their guard down. They need to assume that threats like COLDRIVER are constantly evolving and looking for new ways in.

“While we should applaud this takedown, it's not a reason to relax. It’s a call to double down on our cybersecurity efforts and stay vigilant against the next wave of attacks, whatever form they may take — and that includes keeping a close eye on our Microsoft environments for any signs of retaliatory action.”