The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.
The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorateās Australian Cyber Security Centre (ASDās ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.
Industry has previously published details of Star Blizzard. This advisory draws on that body of information.
This advisory raises awareness of the spear-phishing techniques Star Blizzard uses to target individuals and organizations. This activity is continuing through 2023.
To download a PDF version of this advisory, see Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns.
Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians.
Targets in the UK and US appear to have been most affected by Star Blizzard activity, however activity has also been observed against targets in other NATO countries, and countries neighboring Russia.
During 2022, Star Blizzard activity appeared to expand further, to include defense-industrial targets, as well as US Department of Energy facilities.
The activity is typical of spear-phishing campaigns, where an actor targets a specific individual or group using information known to be of interest to the targets. In a spear-phishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.
Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, Star Blizzard identifies hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts [T1589], [T1593].
Star Blizzard creates email accounts impersonating known contacts of their targets to help appear legitimate. They also create fake social media or networking profiles that impersonate respected experts [T1585.001] and have used supposed conference or event invitations as lures.
Star Blizzard uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton mail in their initial approach [T1585.002], impersonating known contacts of the target or well-known names in the targetās field of interest or sector.
To appear authentic, the actor also creates malicious domains resembling legitimate organizations [T1583.001].
Microsoft Threat Intelligence Center (MSTIC) provides a list of observed Indicators of Compromise (IOCs) in their SEABORGIUM blog, but this is not exhaustive.
Star Blizzard has predominantly sent spear-phishing emails to targetsā personal email addresses, although they have also used targetsā corporate or business email addresses. The actors may intentionally use personal emails to circumvent security controls in place on corporate networks.
Having taken the time to research their targetsā interests and contacts to create a believable approach, Star Blizzard now starts to build trust. They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport.
Once trust is established, the attacker uses typical phishing tradecraft and shares a link [T1566.002], apparently to a document or website of interest. This leads the target to an actor-controlled server, prompting the target to enter account credentials.
The malicious link may be a URL in an email message, or the actor may embed a link in a document [T1566.001] on OneDrive, Google Drive, or other file-sharing platforms.
Star Blizzard uses the open-source framework EvilGinx in their spear- phishing activity, which allows them to harvest credentials and session cookies to successfully bypass the use of two-factor authentication [T1539], [T1550.004].
Whichever delivery method is used, once the target clicks on the malicious URL, they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service. Any credentials entered at this point are now compromised.
Star Blizzard then uses the stolen credentials to log in to a targetās email account [T1078], where they are known to access and steal emails and attachments from the victimās inbox [T1114.002]. They have also set up mail- forwarding rules, giving them ongoing visibility of victim correspondence [T1114.003].
The actor has also used their access to a victim email account to access mailing~~-~~list data and a victimās contacts list, which they then use for follow- on targeting. They have also used compromised email accounts for further phishing activity [T1586.002].
Spear-phishing is an established technique used by many actors, and Star Blizzard uses it successfully, evolving the technique to maintain their success.
Individuals and organizations from previously targeted sectors should be vigilant of the techniques described in this advisory.
In the UK you can report related suspicious activity to the NCSC.
Information on effective defense against spear-phishing is included in the Mitigations section below.
This report has been compiled with respect to the MITRE ATT&CKĀ® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
Tactic | ID | Technique | Procedure |
---|---|---|---|
Reconnaissance | T1593 | Search Open Websites/Domains | Star Blizzard uses open-source research and social media to identify information about victims to use in targeting. Reconnaissance |
A number of mitigations will be useful in defending against the activity described in this advisory.
This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.
Refer any FOIA queries to [email protected].
All material is UK Crown CopyrightĀ©.
attack.mitre.org/versions/v14/matrices/enterprise/
attack.mitre.org/versions/v14/techniques/T1078/
attack.mitre.org/versions/v14/techniques/T1078/
attack.mitre.org/versions/v14/techniques/T1114/002/
attack.mitre.org/versions/v14/techniques/T1114/002/
attack.mitre.org/versions/v14/techniques/T1114/003/
attack.mitre.org/versions/v14/techniques/T1114/003/
attack.mitre.org/versions/v14/techniques/T1539/
attack.mitre.org/versions/v14/techniques/T1539/
attack.mitre.org/versions/v14/techniques/T1550/004/
attack.mitre.org/versions/v14/techniques/T1550/004/
attack.mitre.org/versions/v14/techniques/T1566/001/
attack.mitre.org/versions/v14/techniques/T1566/001/
attack.mitre.org/versions/v14/techniques/T1566/002/
attack.mitre.org/versions/v14/techniques/T1566/002/
attack.mitre.org/versions/v14/techniques/T1583/001/
attack.mitre.org/versions/v14/techniques/T1583/001/
attack.mitre.org/versions/v14/techniques/T1585/001/
attack.mitre.org/versions/v14/techniques/T1585/001/
attack.mitre.org/versions/v14/techniques/T1585/002/
attack.mitre.org/versions/v14/techniques/T1585/002/
attack.mitre.org/versions/v14/techniques/T1586/002/
attack.mitre.org/versions/v14/techniques/T1586/002/
attack.mitre.org/versions/v14/techniques/T1589/
attack.mitre.org/versions/v14/techniques/T1589/
attack.mitre.org/versions/v14/techniques/T1593/
attack.mitre.org/versions/v14/techniques/T1593/
blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
report.ncsc.gov.uk/
twitter.com/CISAgov
twitter.com/intent/tweet?text=Russian%20FSB%20Cyber%20Actor%20Star%20Blizzard%20Continues%20Worldwide%20Spear-phishing%20Campaigns+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a&title=Russian%20FSB%20Cyber%20Actor%20Star%20Blizzard%20Continues%20Worldwide%20Spear-phishing%20Campaigns
www.ic3.gov/Home/IndustryAlerts
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a
www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/
www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working
www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/antivirus-and-other-security-software
www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/use-a-strong-and-separate-password-for-email
www.ncsc.gov.uk/files/Advisory-Russian-FSB-cyber-actor-star-blizzard-continues-worldwide-spear-sphishing-campaigns.pdf
www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services
www.ncsc.gov.uk/guidance/phishing
www.ncsc.gov.uk/guidance/setting-2-step-verification-2sv
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Russian%20FSB%20Cyber%20Actor%20Star%20Blizzard%20Continues%20Worldwide%20Spear-phishing%20Campaigns&body=www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a