CISA
Critical infrastructure
Identity and Access Management (IAM)
Malware, Phishing & Ransomware
News
Threat Landscape
Vulnerabilities

Russian FSB hacker Star Blizzard targeting organizations using spear-phishing campaigns

December 08, 2023
Russian FSB hacker Star Blizzard targeting organizations using spear-phishing campaigns

Global security agencies published Thursday a cybersecurity advisory warning of a Russian-based hacker group, Star Blizzard (formerly known as SEABORGIUM and also referred to as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) with links to the Russian Federal Security Service (FSB), is actively targeting organizations and individuals in the U.K. and other geographical areas of interest. These hackers have been identified as employing spear-phishing attacks to gather information from their targets. 

The latest guidance aims to raise awareness about the spear-phishing techniques used by Star Blizzard and their ongoing activity, which is continuing through 2023. It further expands on the information previously shared by the Microsoft Threat Intelligence Center (MSTIC) in August last year regarding the Star Blizzard attacks. This advisory leverages that existing body of information.

“Since 2019, Star Blizzard has targeted sectors including academia, defence, governmental organisations, NGOs, think tanks and politicians,” the U.K. National Cyber Security Centre (NCSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ), wrote in their advisory. They also assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.

The agencies added that targets in the U.K. and U.S. appear to have been most affected by Star Blizzard activity, “however activity has also been observed against targets in other NATO countries, and countries neighbouring Russia. During 2022, Star Blizzard activity appeared to expand further, to include defence-industrial targets, as well as US Department of Energy facilities.”

“Russia continues to be a threat. They continue to successfully use known spear-phishing techniques for intelligence gathering,” Rob Joyce, director of NSA’s Cybersecurity Directorate, said in a media statement. “Those at risk should note that the FSB likes to target personal email accounts, where they can still get to sensitive information but often with a lower security bar.”

The activity is typical of spear-phishing campaigns, where hackers target a specific individual or group using information known to be of interest to the targets. In a spear-phishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.

“Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, Star Blizzard identifies hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts,” according to the advisory. “Star Blizzard creates email accounts impersonating known contacts of their targets to help appear legitimate. They also create fake social media or networking profiles that impersonate respected experts and have used supposed conference or event invitations as lures.”

Furthermore, Star Blizzard uses webmail addresses from different providers, including Outlook, Gmail, Yahoo, and Proton mail in their initial approach, impersonating known contacts of the target or well-known names in the target’s field of interest or sector. “To appear authentic, the actor also creates malicious domains resembling legitimate organisations,” it added. 

Having taken the time to research their targets’ interests and contacts to create a believable approach, Star Blizzard now started to build trust. They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between the attacker and the target, sometimes over an extended period, as the attacker builds rapport. 

“Once trust is established, the attacker uses typical phishing tradecraft and shares a link, apparently to a document or website of interest. This leads the target to an actor-controlled server, prompting the target to enter account credentials,” the advisory detailed. “The malicious link may be a URL in an email message, or the actor may embed a link in a document on OneDrive, Google Drive, or other file-sharing platforms. Star Blizzard uses the open-source framework EvilGinx in their spear-phishing activity, which allows them to harvest credentials and session cookies to successfully bypass the use of two-factor authentication.”

The agencies disclosed that whichever delivery method is used, once the target clicks on the malicious URL, they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service. Any credentials entered at this point are now compromised.

They added that Star Blizzard then uses the stolen credentials to log in to a target’s email account, where they are known to access and steal emails and attachments from the victim’s inbox. “They have also set up mail-forwarding rules, giving them ongoing visibility of victim correspondence. The actor has also used their access to a victim’s email account to access mailing list data and a victim’s contacts list, which they then use for follow-on targeting. They have also used compromised email accounts for further phishing activity.”

In conclusion, the agencies identify spear-phishing as an established technique used by many actors, and Star Blizzard uses it successfully, evolving the technique to maintain their success. They call upon individuals and organizations from previously targeted sectors to be vigilant of the techniques adopted.

Earlier in January this year, the NCSC disclosed that Russia-based SEABORGIUM and Iran-based TA453 hacker groups continue to use spear-phishing attacks against targeted organizations and individuals in the U.K., and other areas of interest, primarily for information-gathering activity.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates