Russian Hacker Group ‘Star Blizzard’ Upgrades Phishing Stealth, Research Uncovers

State Sponsored Villains

“Star Blizzard” (aka Seaborgium, BlueCharlie, Callisto Group, Coldriver) has been actively involved in cyber espionage since 2017, concentrating its efforts on public and private organizations in NATO member countries, particularly in the fields of politics, defense, and related sectors.

Noteworthy is its recent focus on individuals and organizations providing support for Ukraine. Despite its successful cyber breaches, Star Blizzard is equally recognized for operational security failures.

Microsoft disrupted the group in August 2022, prompting Recorded Future to monitor its attempts to shift to new infrastructure.

Star Blizzard’s Latest Movements

In its latest evasion efforts, Star Blizzard has adopted five primary tactics, notably utilizing email marketing platforms for phishing. The group employs password-protected PDF lure documents and cloud-based file-sharing platforms to bypass email filters.

To obstruct human analysis, they use a domain name service (DNS) provider as a reverse proxy and incorporate server-side JavaScript snippets to impede automated scanning of their infrastructure.

Star Blizzard also employs a more randomized domain generation algorithm (DGA) to complicate pattern detection. Despite these tactics, Microsoft notes certain defining characteristics in Star Blizzard’s domains, including registration with Namecheap, similar naming conventions, and TLS certifications from Let’s Encrypt.

A significant shift in their strategy involves the use of email marketing services such as Mailerlite and HubSpot to direct phishing campaigns.

This enables the creation of dedicated subdomains for redirection and facilitates the establishment of URLs, acting as entry points to a redirection chain ending at actor-controlled Evilginx server infrastructure.

The group’s innovative approach combines cloud-based platforms, virtual private servers (VPS), and server-side scripts, enhancing their ability to redirect victims selectively.

Recorded Future highlights the group’s success in targeting think tanks, research organizations, and UK government officials, showcasing the evolving and impactful nature of Star Blizzard’s cyber operations.

“Their use of cloud-based platforms like HubSpot, MailerLite, and virtual private servers (VPS) partnered with server-side scripts to prevent automated scanning is an interesting approach,” explains Recorded Future Insikt Group threat intelligence analyst Zoey Selman, “as it enables BlueCharlie to set allow parameters to redirect the victim to threat actor infrastructure only when the requirements are met.”

Veroot’s Mission of Cyber Awareness

At Veroot, we aim to emphasize the escalating nature of phishing campaigns orchestrated by threat actors. Our services offer comprehensive phishing training to enhance awareness within your team. Should this be of interest to your organization, please feel free to contact us by clicking the below link.