Five Eyes nations warn Moscow’s mates at the Star Blizzard gang have new phishing targets

December 8, 2023 TH Author

Russia-backed attackers have named new targets for their ongoing phishing campaigns, with defense-industrial firms and energy facilities now in their sights, according to agencies of the Five Eyes alliance.

In a joint security alert issued on Thursday, seven agencies^* from Australia, Canada, New Zealand, the US and the UK, warned about a criminal gang named Star Blizzard and its evolving phishing techniques.

The agencies note that the Russian gang, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie “is almost certainly subordinate to the Russian Federal Security Service (FSB) Center 18.” This isn’t to be confused with Russia’s military intelligence agency, the GRU, which also has its own cyber-spy arm and also likes to go phishing in US and European networks.

“Russia continues to be a threat,” Rob Joyce, director of NSA’s cybersecurity directorate, warned in a statement. “Those at risk should note that the FSB likes to target personal email accounts, where they can still get to sensitive information but often with a lower security bar.”

Star Blizzard, active since at least 2019, historically targets academia, defense, governmental organizations, NGOs, think tanks, and politicians. But beginning in 2022, Star Blizzard also began prodding defense-industrial targets and US Department of Energy facilities.

“Center 18 has been previously publicly linked to intrusions into Yahoo! that involved a co-opted cyber criminal as well as intrusions by a young Canadian national who was hired to target accounts,” Mandiant Intelligence chief analyst John Hultquist told The Register.

Also on Thursday, UK Foreign Office minister Leo Docherty accused the FSB’s crew of hacking private conversations of high-profile UK politicians, and then “selectively leak[ing] and amplify[ing] information” for political meddling.

While this gang, like other Kremlin-backed hackers, focuses its espionage efforts on matters like Western security posture and foreign policy plans, Mandiant warned that intelligence-gathering is not Moscow’s only aim.

“What sets them apart from many of their peers, and makes them particularly dangerous, is their willingness to leak hacked data for political purposes,” Mandiant’s Hultquist explained. “As recently as 2022 they leaked stolen emails from Brexit advocates in an effort to suggest a scandal.”

While US and UK-based targets appear to be most at risk of Star Blizzard’s attacks, the Five Eyes say the Kremlin-backed crew has also infiltrated other NATO countries, plus others that share borders with Russia.

The cyber snoops play the long game – taking time to research their targets on social media and networking platforms, and then creating their own phony profiles and malicious spoofed domains. They use various web-based email addresses to make initial contact including Outlook, Gmail, Yahoo!, and Proton, and often impersonate someone the target knows, or well-known industry figures.

“There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport,” according to the joint alert [PDF].

Once they establish trust, Star Blizzard operatives send a malicious link to a fake website or document used to harvest the victim’s credentials. Next comes an attempt to log into the victim’s email account, snoop around and steal messages and documents. Accessing victims’ contacts is another goal, as that provides the gang with additional targets for their phishing campaigns.

In a separate report published Thursday, Microsoft shared details about the tactics, techniques, and procedures (TTPs) Star Blizzard has used over the past year.

Most aim to avoid detection and include using server-side scripts to prevent automated scanning. According to Redmond:

A month later, the crew began updating its JavaScript code, and the current version – titled “Docs” – is still in use.

The code has three functions: it checks if the browser has any plugins installed, looks for indicators that the page is being scanned by an automation tool, and then sends collected data back to the Evilginx server.

The gang primarily uses HubSpot and MailerLite to both create an email campaign and a URL that serves as the entry point to the redirect chain ending in the gang’s infrastructure.

“As of May 2023, most Star Blizzard registered domains associated with their redirector servers use a DNS provider to obscure the resolving IP addresses allocated to their dedicated VPS infrastructure,” Microsoft’s researchers wrote.

In another attempt to evade security tools, Star Blizzard typically uses password protected PDF lures or links to cloud-based file-sharing platforms such as Microsoft OneDrive and Proton Drive.

And after Recorded Future provided ways to detect Star Blizzard domain registrations this past August, the crew has moved to a more randomized domain generation algorithm for its domains. ®

^* The agencies that jointly issued the alert were the UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US FBI, the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ)