Sponsored By

Russia's 'Star Blizzard' APT Upgrades Its Stealth, Only to Be Unmasked Again

A state-sponsored Scooby Doo villain has once again been thwarted by those meddling researchers.

3 Min Read
Star blizzard over Moscow
Source: Enik via Alamy Stock Photo

After multiple exposures and disruptions, a Kremlin-sponsored advanced persistent threat (APT) actor has once again upgraded its evasion techniques. However, that move was also exposed this week, by Microsoft.

"Star Blizzard" (aka Seaborgium, BlueCharlie, Callisto Group, and Coldriver) has been carrying out email credential theft in service of cyberespionage and cyber influence campaigns since at least 2017. Historically, it has focused its aim on public and private organizations in NATO member countries, typically in fields related to politics, defense, and related sectors — NGOs, think tanks, journalists, academic institutions, intergovernmental organizations, and so on. In recent years, it has especially targeted individuals and organizations providing support for Ukraine.

But for every successful breach, Star Blizzard is also known for its OpSec failures. Microsoft disrupted the group in August 2022 and, in the time since, Recorded Future has tracked it as it not so subtly attempted to shift to new infrastructure. And on Thursday, Microsoft returned to report on its latest efforts at evasion. These efforts include five primary new tricks, most notably the weaponization of email marketing platforms.

Microsoft declined to provide comment for this article.

Star Blizzard's Latest TTPs

To aid in sneaking past email filters, Star Blizzard has started using password-protected PDF lure documents, or links to cloud-based file sharing platforms with the protected PDFs contained within. The passwords to these documents typically come packaged in the same phishing email, or an email sent shortly after the first.

As small roadblocks for potential human analysis, Star Blizzard has begun using a domain name service (DNS) provider as a reverse proxy — obscuring the IP addresses associated with its virtual private servers (VPSs) – and server-side JavaScript snippets intended to prevent automated scanning of its infrastructure.

It's also using a more randomized domain generation algorithm (DGA), to make detecting patterns in its domains more cumbersome. As Microsoft points out however, Star Blizzard domains still share certain defining characteristics: they're typically registered with Namecheap, in groups that often use similar naming conventions, and they sport TLS certifications from Let's Encrypt.

And besides its smaller tricks, Star Blizzard has begun to utilize the email marketing services Mailerlite and HubSpot for directing its phishing escapades.

Using Email Marketing for Phishing

As Microsoft explained in its blog, "the actor uses these services to create an email campaign, which provides them with a dedicated subdomain on the service that is then used to create URLs. These URLs act as the entry point to a redirection chain ending at actor-controlled Evilginx server infrastructure. The services can also provide the user with a dedicated email address per configured email campaign, which the threat actor has been seen to use as the 'From' address in their campaigns."

Sometimes the hackers have crossed tactics, embedding within the body of their password-protected PDFs the email marketing URLs they use to redirect to their malicious servers. This combo removes the need to include its own domain infrastructure in the emails.

"Their use of cloud-based platforms like HubSpot, MailerLite, and virtual private servers (VPS) partnered with server-side scripts to prevent automated scanning is an interesting approach," explains Recorded Future Insikt Group threat intelligence analyst Zoey Selman, "as it enables BlueCharlie to set allow parameters to redirect the victim to threat actor infrastructure only when the requirements are met."

Recently, researchers observed the group using email marketing services to target think tanks and research organizations, using a common lure, with the goal of obtaining credentials for a U.S. grants management portal.

The group has seen some other recent success, as well, Selman notes, "most notably against UK government officials in credential-harvesting and hack-and-leak operations in use in influence operations, such as against former UK MI6 chief Richard Dearlove, British Parliamentarian Stewart McDonald, and is known to have at least attempted to target employees of some of the US' most high profile national nuclear laboratories."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights