UNITED24 - Make a charitable donation in support of Ukraine!

Intelligence


Callisto Group / Star Blizzard / SEABORGIUM / COLDRIVER

The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.

The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spearphishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.

Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians. Targets in the UK and US appear to have been most affected by Star Blizzard activity, however activity has also been observed against targets in other NATO countries, and countries neighboring Russia. During 2022, Star Blizzard activity appeared to expand further, to include defense-industrial targets, as well as US Department of Energy facilities.

The activity is typical of spearphishing campaigns, where an actor targets a specific individual or group using information known to be of interest to the targets. In a spearphishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.

Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, Star Blizzard identifies hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts [T1589], [T1593]. Star Blizzard creates email accounts impersonating known contacts of their targets to help appear legitimate. They also create fake social media or networking profiles that impersonate respected experts [T1585.001] and have used supposed conference or event invitations as lures.

Star Blizzard uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton mail in their initial approach [T1585.002], impersonating known contacts of the target or well-known names in the target’s field of interest or sector. To appear authentic, the actor also creates malicious domains resembling legitimate organizations [T1583.001]. Microsoft Threat Intelligence Center (MSTIC) provides a list of observed Indicators of Compromise (IOCs) in their SEABORGIUM blog, but this is not exhaustive.

Having taken the time to research their targets’ interests and contacts to create a believable approach, Star Blizzard now starts to build trust. They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport.

Once trust is established, the attacker uses typical phishing tradecraft and shares a link [T1566.002], apparently to a document or website of interest. This leads the target to an actor-controlled server, prompting the target to enter account credentials. The malicious link may be a URL in an email message, or the actor may embed a link in a document [T1566.001] on OneDrive, Google Drive, or other file-sharing platforms. Star Blizzard uses the open-source framework EvilGinx in their spearphishing activity, which allows them to harvest credentials and session cookies to successfully bypass the use of two-factor authentication [T1539], [T1550.004].

Whichever delivery method is used, once the target clicks on the malicious URL, they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service. Any credentials entered at this point are now compromised. Star Blizzard then uses the stolen credentials to log in to a target’s email account [T1078], where they are known to access and steal emails and attachments from the victim’s inbox [T1114.002]. They have also set up mail- forwarding rules, giving them ongoing visibility of victim correspondence [T1114.003].

The actor has also used their access to a victim email account to access mailing-list data and a victim’s contacts list, which they then use for follow- on targeting. They have also used compromised email accounts for further phishing activity [T1586.002].

The Justice Department announced October 3, 2024 the unsealing of a warrant authorizing the seizure of 41 internet domains used by Russian intelligence agents and their proxies to commit computer fraud and abuse in the United States.

According to the partially unsealed affidavit filed in support of the government’s seizure warrant, the seized domains were used by hackers belonging to, or criminal proxies working for, the “Callisto Group,” an operational unit within Center 18 of the Russian Federal Security Service (the FSB), to commit violations of unauthorized access to a computer to obtain information from a department or agency of the United States, unauthorized access to a computer to obtain information from a protected computer, and causing damage to a protected computer. Callisto Group hackers used the seized domains in an ongoing and sophisticated spear-phishing campaign with the goal of gaining unauthorized access to, and steal valuable information from, the computers and email accounts of U.S. government and other victims.

In conjunction, Microsoft announced the filing of a civil action to seize 66 internet domains also used by Callisto Group actors. Microsoft Threat Intelligence tracks this group as “Star Blizzard” (formerly SEABORGIUM, also known as COLDRIVER). Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society entities and organizations – journalists, think tanks, and nongovernmental organizations (NGOs) – by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities.

As an example of the Department’s commitment to public-private operational collaboration to disrupt such adversaries’ malicious cyber activities, as set forth in the National Cybersecurity Strategy, the Department acted concurrently with a Microsoft civil action to restrain 66 internet domains used by the same actors.

“Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action – using all tools to disrupt and deter malicious, state-sponsored cyber actors,” said Deputy Attorney General Lisa Monaco. “The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials. With the continued support of our private sector partners, we will be relentless in exposing Russian actors and cybercriminals and depriving them of the tools of their illicit trade.”

“This seizure is part of a coordinated response with our private sector partners to dismantle the infrastructure that cyber espionage actors use to attack U.S. and international targets,” said U.S. Attorney Ismail J. Ramsey for the Northern District of California. “We thank all of our private-sector partners for their diligence in analyzing, publicizing, and combating the threat posed by these illicit state-coordinated actions in the Northern District of California, across the United States, and around the world.”

“This disruption exemplifies our ongoing efforts to expel Russian intelligence agents from the online infrastructure they have used to target individuals, businesses, and governments around the world,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “Working closely with private-sector partners such as Microsoft, the National Security Division uses the full reach of our authorities to confront the cyber-enabled threats of tomorrow from Russia and other adversaries.”

“Working in close collaboration with public and private sector partners—in this case through the execution of domain seizures — we remain in prime position to counter and defeat a broad range of cyber threats posed by adversaries,” said FBI Deputy Director Paul Abbate. “Our efforts to prevent the theft of information by state-sponsored criminal actors are relentless, and we will continue our work in this arena with partners who share our common goals.”

“This case underscores the importance of the FBI’s enduring partnerships with private sector companies, which allow for rapid information sharing and coordinated action. With these seizures, we’ve disrupted a sophisticated cyber threat aimed at compromising sensitive government intelligence and stealing valuable information,” said FBI Special Agent in Charge Robert Tripp. “Today’s success highlights the power of collaboration in safeguarding the United States against state-sponsored cybercrime.”

The government’s affidavit alleged the Callisto Group actors targeted, among others, United States-based companies, former employees of the United States Intelligence Community, former and current Department of Defense and Department of State employees, United States military defense contractors, and staff at the Department of Energy. In December 2023, the Department announced charges against two Callisto-affiliated actors, Ruslan Aleksandrovich Peretyatko, an officer in FSB Center 18, and Andrey Stanislavovich Korinets. The indictment charged the defendants with a campaign to hack into computer networks in the United States, the United Kingdom, other North Atlantic Treaty Organization member countries, and Ukraine, all on behalf of the Russian government.



NEWSLETTER
Join the GlobalSecurity.org mailing list