Star Blizzard hackers improve sophistication, evasion techniques in ongoing cyber attacks, Microsoft reveals

Microsoft Threat Intelligence revealed that it is actively monitoring and thwarting malicious activities carried out by a Russian state-sponsored hacker group known as Star Blizzard. The group has notably enhanced its ability to evade detection since 2022 while maintaining its primary focus on stealing email credentials from the same targets. Microsoft continues to refine and deploy protections against Star Blizzard’s evolving spear-phishing tactics.

Star Blizzard, whose activities the research team has assessed to have historically supported both espionage and cyber influence objectives, continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests. 

The latest disclosure by Microsoft on the activities of the Star Blizzard group, formerly SEABORGIUM, also known as COLDRIVER and Callisto Group, coincides with a cybersecurity advisory issued by global security agencies on Thursday. The advisory warns about the active targeting of organizations and individuals in the U.K. and other areas of interest by Star Blizzard, which has links to the Russian Federal Security Service (FSB), who are known to employ spear-phishing attacks to gather information from their targets.

“Based on our analysis of the actor’s TTPs since our previous blog in 2022, Star Blizzard has evolved to focus on improving its detection evasion capabilities,” a Microsoft blog post stated on Thursday. 

Microsoft has identified five new Star Blizzard evasive techniques:

• Use of server-side scripts to prevent automated scanning of actor-controlled infrastructure.
• Use of email marketing platform services to hide true email sender addresses and obviate the need for including actor-controlled domain infrastructure in email messages
• Use of a DNS provider to obscure the IP addresses of actor-controlled virtual private server (VPS) infrastructure. Once notified, the DNS provider took action to mitigate actor-controlled domains abusing their service.
• Password-protected PDF lures or links to cloud-based file-sharing platforms where PDF lures are hosted
• Shifting to a more randomized domain generation algorithm (DGA) for actor-registered domains

Beginning in April this year, “we observed Star Blizzard gradually move away from using hCaptcha servers as the sole initial filter to prevent automatic scanning of their Evilginx server infrastructure. Redirection was still performed by an actor-controlled server, now first executing JavaScript code (titled ‘Collect and Send User Data’) before redirecting the browsing session to the Evilginx server,” the researchers detailed.

“Shortly after, in May 2023, the threat actor was observed refining the JavaScript code, resulting in an updated version (titled ‘Docs), which is still in use today,” the research team added. “This capability collects various information from the browser performing the browsing session to the redirector server.”

The post also pointed out that they have observed Star Blizzard using two different services, HubSpot and MailerLite. “The actor uses these services to create an email campaign, which provides them with a dedicated subdomain on the service that is then used to create URLs. These URLs act as the entry point to a redirection chain ending at actor-controlled Evilginx server infrastructure.” 

Most Star Blizzard HubSpot email campaigns have targeted multiple academic institutions, think tanks, and other research organizations using a common theme, aimed at obtaining their credentials for a US grants management portal. “We assess that this use-case of the HubSpot mailing platform was to allow the threat actor to track large numbers of identical messages sent to multiple recipients,” they added.

Last December, Microsoft “began to observe Star Blizzard first using a domain name service (DNS) provider that also acts as a reverse proxy server to resolve actor-registered domain infrastructure. As of May 2023, most Star Blizzard registered domains associated with their redirector servers use a DNS provider to obscure the resolving IP addresses allocated to their dedicated VPS infrastructure.”

The team also pointed out that it is “yet to observe Star Blizzard utilizing a DNS provider to resolve domains used on Evilginx servers.”

The post also disclosed that Star Blizzard has been observed sending password-protected PDF lures in an attempt to evade email security processes implemented by defenders. “The threat actor usually sends the password to open the file to the targeted user in the same or a subsequent email message.”

In addition to password-protecting the PDF lures themselves, the Microsoft blog spotted the actor has been observed hosting PDF lures at a cloud storage service and sharing a password-protected link to the file in a message sent to the intended victim. “While Star Blizzard frequently uses cloud storage services from all major providers (including Microsoft OneDrive), Proton Drive is predominantly chosen for this purpose.”

As with any observed nation-state actor activity, Microsoft directly notifies those who have been targeted or compromised, providing them with the necessary information to secure their accounts. Microsoft emphasizes using phishing-resistant authentication methods and lockdown account access using conditional access policies to strengthen environments against Star Blizzard attack activity. 

Microsoft also recommends using advanced anti-phishing solutions, running endpoint detection and response (EDR) in block mode, configuring investigation and remediation in fully automated mode, and using security defaults as a baseline set of policies to improve identity security posture. Additionally, organizations must implement continuous access evaluation, and monitor suspicious or anomalous activities. 

Global security agencies also published Thursday a cybersecurity advisory warning of a Russian-based hacker group, Star Blizzard (formerly known as SEABORGIUM and also referred to as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) with links to the Russian Federal Security Service (FSB), is actively targeting organizations and individuals in the U.K. and other geographical areas of interest. These hackers have been identified as employing spear-phishing attacks to gather information from their targets.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.