US, Microsoft Aim to Disrupt Russian threat actor ‘Star Blizzard’

Date:

Share:


New reports from both Microsoft’s Digital Crimes Unit and the U.S. Department of Justice expose a disruptive operation against more than 100 servers used by “Star Blizzard” — a Russian-based cyber threat actor specializing in compromising email boxes to exfiltrate sensitive content or interfere with the target’s activities.

Who is Star Blizzard?

Star Blizzard is also known as Seaborgium, Callisto Group, TA446, Coldriver, TAG-53 or BlueCharlie. According to various government entities around the globe, Star Blizzard is subordinate to the Russian Federal Security Service (FSB) Centre 18.

The threat actor has been active since at least late 2015, according to a report from cybersecurity company F-Secure. The report indicated the group targeted military personnel, government officials, and think tanks and journalists in Europe and the South Caucasus, with a primary interest of gathering intelligence related to foreign and security policy in those regions.

According to reports:

  • Since 2019, Star Blizzard has targeted the defense and governmental organizations in the U.S. as well as other areas such as the academic sector or different NGOs and politicians.
  • In 2022, the group expanded and started targeting defense-industrial targets as well as US Department of Energy facilities.
  • Since January 2023, Microsoft has identified 82 different targets for the threat actor, at a rate of approximately one attack per week.

SEE: How to Create an Effective Cybersecurity Awareness Program (TechRepublic Premium)

Modus opérandi

Star Blizzard is known for setting up infrastructure to launch spear phishing attacks, often targeting the personal email accounts of selected targets. These accounts typically have weaker security protections than professional email accounts.

As stated by Microsoft’s Assistant General Counsel Steven Masada in a press release: “Star Blizzard is persistent. They meticulously study their targets and pose as trusted contacts to achieve their goals.”

Sample spear phishing email. Image: Microsoft

Once infrastructure is exploited, the threat actor can quickly switch to new infrastructure, rendering it difficult for defenders to detect and block the used domains or IP addresses. In particular, the group uses multiple registrars to register domain names and leverage multiple link-shortening services to redirect users to phishing pages operated using the infamous Evilginx phishing kit. The group also uses open redirectors from legitimate websites.

Redirection chain using several redirectors and link-shortening services.
Redirection chain using several redirectors and link-shortening services. Image: Microsoft

The threat actor has also used altered versions of legitimate email templates, such as OneDrive file share notifications. In this case, the group used newly created email addresses intended to impersonate a trusted sender so the recipient would be more likely to open the phishing email. The email would contain a link to a modified PDF or DOCX file hosted on a cloud storage service, ultimately leading to the Evilginx phishing kit. This allowed the attackers to execute a man-in-the-middle attack capable of bypassing Multi-Factor Authentication.

Massive disruption

The DOJ announced the seizure of 41 Internet domains and additional proxies used by the Russian threat actor, while a coordinated civil action from Microsoft restrained 66 additional domains used by the threat actor.

The domains were used by the threat actor to run spear phishing attacks to compromise targeted systems or e-mail boxes, for cyberespionage purposes.

Star Blizzard is expected to quickly rebuild an infrastructure for its fraudulent activities. However, Microsoft reports that the disruption operation impacts the threat actor’s activities at a critical moment, when foreign interference in U.S. democratic processes are at their highest. It will also enable Microsoft to disrupt any new infrastructure faster through an existing court proceeding.

Want protection from this threat? Educate and train your staff.

To avoid Star Blizzard, reports suggest that organizations should:

The threat actor’s phishing emails appear to be from known contacts that users or organizations expect to receive email from. The sender address could be from any free email provider, but special attention should be paid to emails received from Proton account senders, as the threat actor has often used that email provider in the past.

Should doubt arise, users should not click on a link. Instead, they should report the suspicious email to their IT or security staff for analysis. To achieve this, users should be educated and trained to detect spear phishing attempts.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.



Source link

━ more like this

Music Can Thrive in the AI Era

The birth of ChatGPT brought a collection of anxieties regarding how large language models allow users to quickly subvert processes that once required...

Google to challenge ChatGPT in search with AI mode feature

It is match point Google as the tech giant prepares to introduce a new “AI Mode” for its search engine, which will allow...

Here’s everything OpenAI announced in the past 12 days

Table of Contents Table of Contents Day 1: OpenAI unleashes its o1 reasoning model and introduces ChatGPT Pro Day 2: OpenAI expands its Reinforcement Fine-Tuning Research...

Tesla is recalling almost 700,000 vehicles over a tire pressure monitor issue

Another day, another Tesla recall. This time, the National Highway Traffic Safety Administration (NHTSA) of almost 700,000 Tesla vehicles warning them of...

Here’s how Apple may make the next Vision headset more affordable

A new report suggests that Apple may be lining up its plans for the launch of its more budget-friendly Vision headset. As spotted...
spot_img