A Russia-linked threat group known as BlueCharlie has changed its tactics and infrastructure after several research teams publicly exposed its previous campaigns.
The threat group (associated with Callisto, ColdRiver and Star Blizzard) has been active since 2017 and focuses on espionage and hack-and-leak operations. Previously, the group has targeted organizations in the government, defense, education and political sectors (as well as NGOs, journalists and think tanks), primarily located in North Atlantic Treaty Organization (NATO) nations and in Ukraine.
Though researchers with Recorded Future, Sekoia and PWC have previously detailed campaigns associated with the threat group, starting in March researchers with Recorded Future’s Insikt Group said the attackers are now leveraging 94 new domains to likely use in phishing campaigns or for credential harvesting. It is fairly common for threat actors to adjust their infrastructure and modify their techniques to avoid detection, especially on the heels of industry public disclosures; however, attackers are getting quicker and better at doing so. Researchers said that BlueCharlie will likely continue to adapt and evolve in the future.
“Several of the TTPs seen in the recent operation depart from past activity, suggesting that BlueCharlie is evolving its operations, potentially in response to public disclosures of its operations in industry reporting,” according to Insikt Group researchers in a Wednesday analysis.
In December, the Insikt Group researchers observed infrastructure linked to BlueCharlie that contained a spoofed Microsoft login page and masqueraded as a legitimate military weapons and hardware supplier in the U.S., likely in order to harvest victim credentials.
"We continued to actively monitor that infrastructure, until March of this year, when we noticed the threat actors shifting their naming conventions, registrars, ASNs, and other technical indicators on infrastructure that we were actively watching," according to Insikt Group threat intelligence analysts. "This allowed us to attribute the current activity described in our newest report to BlueCharlie (previously TAG-53), as they had re-used some of their infrastructure and we witnessed the change real-time."
The threat group’s newer domains have a different domain name structure and keyword themes. The group has removed the use of the hyphen in its domain name structure that was dominantly used before (such as access-confirmation[.]com), as researchers noted in their December report.
The group also previously impersonated target domains as part of its attacks, including several aerospace and defense companies, a telecoms company, a logistics organization and the Russian Ministry of Internal Affairs. Since then, researchers have not observed BlueCharlie targeting organization domains in this manner; instead the group has been using keywords related to IT and cryptocurrency (such as cloudrootstorage or directexpressgateway). The group has also leveraged NameCheap for the majority of its domain registrations, whereas previously it relied on the Porkbun registrar, Regway and REG RU, in addition to NameCheap.
“While the group uses relatively common techniques to conduct attacks (such as the use of phishing and a historical reliance on open-source offensive security tools), its likely continued use of these methods, determined posture, and progressive evolution of tactics suggests the group remains formidable and capable,” said researchers.
Insikt Group researchers were unable to determine the victimology or targeting for this more recent campaign. However, the threat group’s continued use of phishing and its evolving tactics suggest it will remain active in its operations, and they recommended that network defenders employ anti-phishing measures like training and multi-factor authentication.
“To counter BlueCharlie's threat, network defenders should enhance phishing defenses, implement FIDO2-compliant multi-factor authentication, use threat intelligence, and educate third-party vendors,” said Insikt Group researchers.