The U.S. and UK governments are cracking down on a known Russian threat group with sanctions, as well as the release of a series of reports exposing the group's tactics used in recent spear-phishing attacks against individuals in the U.S. government and Defense Industrial Base, UK parliamentarians and more.
The known threat group has been tracked over the years by researchers as Seaborgium, Star Blizzard and BlueCharlie. While the UK’s National Cyber Security Centre (NCSC) previously warned of spear-phishing campaigns from the threat actor in January, in this most recent joint advisory, the NSA, NCSC and other Five Eyes agency partners directly linked the group to the Russian Federal Security Service’s center for information security (FSB Center 18). The Department of Treasury's Office of Foreign Assets Control (OFAC) in coordination with the UK on Thursday designated two individuals associated with the group's activities - Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets - and the Department of Justice (DoJ) also announced charges against these individuals, alleging that they targeted employees of the U.S. intelligence community, Department of Defense, Department of State, defense contractors, and Department of Energy facilities.
“Since 2019, Star Blizzard has targeted sectors including academia, defence, governmental organisations, NGOs, think tanks and politicians,” according to the NSA’s report on Thursday. “During 2022, Star Blizzard activity appeared to expand further, to include defence-industrial targets, as well as US Department of Energy facilities.”
The NSA said that in its ongoing campaign, the group has used social media and networking platforms to conduct reconnaissance in order to build an intricate social engineering web. The group has created email accounts, social media and networking profiles that impersonated targets’ known contacts or respected experts in the industry.
The actors would then would send benign spear-phishing emails to targets’ personal addresses, building rapport with targets before later delivering the malicious link (either in the email itself or embedded in a document), leading to a landing page designed to steal their credentials.
“Star Blizzard then uses the stolen credentials to log in to a target’s email account, where they are known to access and steal emails and attachments from the victim’s inbox,” according to the NSA’s report. “They have also set up mail-forwarding rules, giving them ongoing visibility of victim correspondence. The actor has also used their access to a victim email account to access mailing-list data and a victim’s contacts list, which they then use for follow-on targeting. They have also used compromised email accounts for further phishing activity.”
New TTPs
In a corresponding analysis, Microsoft researchers described how the threat actors have shifted their tactics to leverage server-side scripts in an attempt to block the automated scanning of their infrastructure. Specifically, the threat group has been trying to cloak its usage of open source man-in-the-middle attack framework EvilGinx, which is used to harvest credentials and session cookies and to bypass MFA.
“Beginning in April 2023, we observed Star Blizzard gradually move away from using hCaptcha servers as the sole initial filter to prevent automatic scanning of their Evilginx server infrastructure,” according to researchers with Microsoft in an analysis. “Redirection was still performed by an actor-controlled server, now first executing JavaScript code (titled ‘Collect and Send User Data’) before redirecting the browsing session to the Evilginx server. Shortly after, in May 2023, the threat actor was observed refining the JavaScript code, resulting in an updated version (titled ‘Docs’), which is still in use today.”
The threat actors have also taken other measures to hide their activity, including the use of a DNS provider to conceal the IP addresses of their VPS infrastructure (the DNS provider has since been notified of the abuse and has removed actor-controlled domains) and the use of two different email marketing platform services, HubSpot and MailerLite, to create email campaigns. By leveraging these legitimate services, threat actors were able to mask their true email server addresses and actor-controlled domain infrastructure in messages.
The group has also transitioned to a more randomized domain generation algorithm (DGA) for domains, and has switched to use password-protected PDF lures or links to file sharing platforms for hosting PDF lures, in order to sidestep email security processes.
Shifts in Targeting
The threat group has previously targeted government organizations, academia, think tanks, NGOs, politicians and others in both espionage campaigns and influence operations. It has mostly targeted organizations in the U.S. and UK, but has also launched attacks against entities in other NATO countries and countries neighboring Russia.
The UK on Thursday linked the FSB to several previous campaigns conducted by the threat group, including the compromise of UK-U.S. trade documents that were leaked ahead of the 2019 General Election, and the 2018 compromise of UK think tank Institute for Statecraft (as well as the more recent hack of its founder).
During 2022, the group's activity appeared to grow to include defense and industrial targets, as well as U.S. Department of Energy facilities. In August 2022, Microsoft said it had disabled accounts used by the threat actor for reconnaissance, phishing and email collection, and said it had observed the threat actor targeting over 30 organizations since the start of the year.
In order to avoid attacks by this threat group, the NSA recommends that organizations use strong, unique passwords and set up MFA to reduce the impact of compromise. Microsoft and the NSA both also shared indicators of compromise (IoCs) for the attacks.
“A thorough investigation should be performed to understand potential historical impact if Star Blizzard activity has been previously alerted on in the environment,” according to Microsoft.