The group known as Star Blizzard, previously identified as SEABORGIUM and also referred to as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie, remains actively engaged in spear-phishing attacks. Their focus extends to targeted entities in the UK and other regions of interest as part of information-gathering endeavours.
According to assessments from various web application cyber security auditors, including the UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA, the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the New Zealand National Cyber Security Centre (NCSC-NZ), and the Canadian Centre for Cyber Security (CCCS), Star Blizzard most likely functions under the direction of the Russian Federal Security Service (FSB) Centre 18.
Previous industry reports have provided insights into Star Blizzard’s activities, and this advisory builds upon that existing information.
The purpose of this advisory is to highlight the ongoing spear-phishing techniques employed by Star Blizzard against individuals and organisations. This pattern of activity is observed to persist into 2023, prompting increased awareness in the cybersecurity community.
Profiles Targeted by Star Blizzard
Starting in 2019, Star Blizzard has set its sights on a variety of sectors, encompassing academia, defence, government entities, private (NGOs), political figures, and think tanks.
The impact of Star Blizzard’s actions seems most pronounced in the UK and the US, with these locations experiencing a significant influence from the group. However, there are indications of their activities extending beyond, affecting targets in other NATO countries and those situated near Russia.
In the course of 2022, Star Blizzard’s operations seemed to broaden even further, now encompassing defence-industrial targets and extending to facilities associated with the US Department of Energy.
Details of the Attacks
The modus operandi aligns with spear-phishing campaigns, a method wherein an actor singles out a specific individual or group based on information known to be pertinent to the targets. In spear-phishing, the actor believes the target can provide direct access to relevant information, serve as an access point to another target, or fulfil both roles.
Research and Preparation
Star Blizzard engages in thorough reconnaissance, utilising open-source tools such as social media and professional networking platforms to unearth hooks for targeting. They invest time in understanding the interests of their targets and identifying their real-world social or professional connections.
To enhance their credibility, Star Blizzard crafts email accounts that mimic the known contacts of their targets. Additionally, they fabricate social media or networking profiles posing as reputable experts and have employed purported conference or event invitations as bait.
Star Blizzard employs webmail accounts from various providers, such as Gmail, Yahoo, Outlook and Proton Mail, in their early communication. In this phase, they assume the identity of recognised contacts of the target or well-known figures in the target’s field or sector.
To enhance credibility, the actor goes further by creating malicious domains that closely resemble legitimate organisations.
The Microsoft Threat Intelligence Centre (MSTIC) has compiled a catalogue of Indicators of Compromise (IOCs) in the SEABORGIUM posts, though it’s important to note that this list may not cover all instances.
Preferential Use of Personal Email
Star Blizzard tends to direct spear-phishing emails primarily to the personal email addresses of their targets, although they have also been known to utilise corporate or business email addresses. This intentional use of personal emails may serve to evade security measures in place on corporate networks.
After conducting thorough research on their targets’ interests and contacts to create a convincing approach, Star Blizzard shifts to building trust. They often initiate contact on a benign topic designed to engage their targets. This phase may involve ongoing correspondence between the attacker and target, sometimes spanning an extended period, as rapport is established.
Delivery of a Deceptive Link
Once a sense of trust is established, the attacker employs standard phishing techniques by sharing a link that seemingly directs to a document or website of interest. This link guides the target to a server controlled by the actor, prompting the input of account credentials.
The deceptive link can take the form of a URL within an email message, or the actor may embed a link in a document hosted on platforms like OneDrive, Google Drive, or other file-sharing services.
Star Blizzard uses the open-source EvilGinx framework in their spear-phishing attacks so they can efficiently harvest session cookies and credentials, getting around two-factor verification.
Exploitation and Subsequent Actions
Regardless of the delivery method, once the target clicks on the deceptive URL, they are redirected to an actor-controlled server mimicking the sign-in page of a legitimate service. At this point, whatever credentials entered are vulnerable.
Subsequently, Star Blizzard utilises the pilfered credentials to log in to the target’s email account, where they engage in unauthorised access, extracting emails and attachments from the victim’s inbox. Additionally, they establish mail-forwarding rules, granting ongoing visibility into the victim’s correspondence.
The actor also leverages their access to a victim’s email account to reach mailing-list data and the victim’s contacts list, subsequently using this information for further targeted actions. Compromised email accounts have also been exploited for subsequent phishing activities.
Many actors use spear-phishing, an established technique that is used by Star Blizzard successfully. Also, evolving the technique to maintain its success. Mr. Manish Chaudhari, CISO of Cybernetic Global Intelligence, an internationally recognised provider of cybersecurity services, said that “individuals and organisations from previously targeted sectors, particularly those undergoing Web Application Cyber Security Assessment, should be vigilant of the techniques described in this advisory.” Finally, it should be noted that the ongoing difficulties in cybersecurity are highlighted by the persistent and international spear-phishing campaigns that the Russian FSB Cyber Actor Star Blizzard orchestrated. In order to protect digital borders from such highly skilled adversaries, cooperation and innovation in defence mechanisms become essential as nations struggle with constantly changing threats.
To know more about how companies can shield themselves from cyberattacks, refer to our other blogs posted on our website. Besides, if you are worried about cyber security, make sure to consult a reputed cyber security provider like Cybernetic Global Intelligence to stay prepared for a cyber attack and prevent any breaches. For details, call 1300 292 376, send an email to firstname.lastname@example.org.