Article Details

Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets. The Russians are coming! Err, they've already infiltrated UK, US inboxes. Russia-backed attackers have named new targets for their ongoing phishing campaigns, with defense-industrial firms and energy facilities now in their sights, according to agencies of the Five Eyes alliance. In a joint security alert issued on Thursday, seven agencies* from Australia, Canada, New Zealand, the US and the UK, warned about a criminal gang named Star Blizzard and its evolving phishing techniques. The agencies note that the Russian gang, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie "is almost certainly subordinate to the Russian Federal Security Service (FSB) Center 18." This isn't to be confused with Russia's military intelligence agency, the GRU, which also has its own cyber-spy arm and also likes to go phishing in US and European networks. "Russia continues to be a threat," Rob Joyce, director of NSA's cybersecurity directorate, warned in a statement. "Those at risk should note that the FSB likes to target personal email accounts, where they can still get to sensitive information but often with a lower security bar." Star Blizzard, active since at least 2019, historically targets academia, defense, governmental organizations, NGOs, think tanks, and politicians. But beginning in 2022, Star Blizzard also began prodding defense-industrial targets and US Department of Energy facilities. "Center 18 has been previously publicly linked to intrusions into Yahoo! that involved a co-opted cyber criminal as well as intrusions by a young Canadian national who was hired to target accounts," Mandiant Intelligence chief analyst John Hultquist told The Register. Also this week, a US grand jury charged two alleged members of Star Blizzard with hacking into US, UK, and other NATO-countries' networks on behalf of the Russian government. According to court documents, Ruslan Aleksandrovich Peretyatko, an officer in Russia's FSB Center 18, along with Andrey Stanislavovich Korinets and other unindicted conspirators, targeted current and former employees of the US intelligence agencies, the Defense and State Departments, defense contractors, and Department of Energy facilities between at least October 2016 and October 2022. "The Conspirators used 'spoofed' email accounts designed to look like personal and work-related email accounts of current and former employees of the military, DOD, USIC, and DOE facilities, among others," the court documents state. The indictment also alleges that Star Blizzard members pulled off successful phishing campaigns against military and government officials, think tank staff, and journalists in the UK, and that info from some of these compromised email accounts was then leaked to the press in Russia and the UK in advance of the 2019 UK elections. Also on Thursday, UK Foreign Office minister Leo Docherty accused the FSB's crew of hacking private conversations of high-profile UK politicians, and then "selectively leak[ing] and amplify[ing] information" for political meddling. While this gang, like other Kremlin-backed hackers, focuses its espionage efforts on matters like Western security posture and foreign policy plans, Mandiant warned that intelligence-gathering is not Moscow’s only aim. "What sets them apart from many of their peers, and makes them particularly dangerous, is their willingness to leak hacked data for political purposes," Mandiant’s Hultquist explained. "As recently as 2022 they leaked stolen emails from Brexit advocates in an effort to suggest a scandal." While US and UK-based targets appear to be most at risk of Star Blizzard's attacks, the Five Eyes say the Kremlin-backed crew has also infiltrated other NATO countries, plus others that share borders with Russia. The cyber snoops play the long game – taking time to research their targets on social media and networking platforms, and then creating their own phony profiles and malicious spoofed domains. They use various web-based email addresses to make initial contact including Outlook, Gmail, Yahoo!, and Proton, and often impersonate someone the target knows, or well-known industry figures. "There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport," according to the joint alert [PDF]. Once they establish trust, Star Blizzard operatives send a malicious link to a fake website or document used to harvest the victim's credentials. Next comes an attempt to log into the victim's email account, snoop around and steal messages and documents. Accessing victims' contacts is another goal, as that provides the gang with additional targets for their phishing campaigns. In a separate report published Thursday, Microsoft shared details about the tactics, techniques, and procedures (TTPs) Star Blizzard has used over the past year. Most aim to avoid detection and include using server-side scripts to prevent automated scanning. According to Redmond: Beginning in April 2023, we observed Star Blizzard gradually move away from using hCaptcha servers as the sole initial filter to prevent automatic scanning of their Evilginx server infrastructure. Redirection was still performed by an actor-controlled server, now first executing JavaScript code (titled "Collect and Send User Data") before redirecting the browsing session to the Evilginx server. A month later, the crew began updating its JavaScript code, and the current version – titled "Docs" – is still in use. The code has three functions: it checks if the browser has any plugins installed, looks for indicators that the page is being scanned by an automation tool, and then sends collected data back to the Evilginx server. The gang primarily uses HubSpot and MailerLite to both create an email campaign and a URL that serves as the entry point to the redirect chain ending in the gang's infrastructure. "As of May 2023, most Star Blizzard registered domains associated with their redirector servers use a DNS provider to obscure the resolving IP addresses allocated to their dedicated VPS infrastructure," Microsoft’s researchers wrote. In another attempt to evade security tools, Star Blizzard typically uses password protected PDF lures or links to cloud-based file-sharing platforms such as Microsoft OneDrive and Proton Drive. And after Recorded Future provided ways to detect Star Blizzard domain registrations this past August, the crew has moved to a more randomized domain generation algorithm for its domains. * The agencies that jointly issued the alert were the UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US FBI, the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ)