New reports from both Microsoft's Digital Crimes Unit and the U.S. Department of Justice expose a disruptive operation against more than 100 servers used by "Star Blizzard" -- a Russian-based cyber threat actor specializing in compromising email boxes to exfiltrate sensitive content or interfere with the target's activities.
Star Blizzard is also known as Seaborgium, Callisto Group, TA446, Coldriver, TAG-53 or BlueCharlie. According to various government entities around the globe, Star Blizzard is subordinate to the Russian Federal Security Service (FSB) Centre 18.
The threat actor has been active since at least late 2015, according to a report from cybersecurity company F-Secure. The report indicated the group targeted military personnel, government officials, and think tanks and journalists in Europe and the South Caucasus, with a primary interest of gathering intelligence related to foreign and security policy in those regions.
Star Blizzard is known for setting up infrastructure to launch spear phishing attacks, often targeting the personal email accounts of selected targets. These accounts typically have weaker security protections than professional email accounts.
As stated by Microsoft's Assistant General Counsel Steven Masada in a press release: "Star Blizzard is persistent. They meticulously study their targets and pose as trusted contacts to achieve their goals."
Once infrastructure is exploited, the threat actor can quickly switch to new infrastructure, rendering it difficult for defenders to detect and block the used domains or IP addresses. In particular, the group uses multiple registrars to register domain names and leverage multiple link-shortening services to redirect users to phishing pages operated using the infamous Evilginx phishing kit. The group also uses open redirectors from legitimate websites.
The threat actor has also used altered versions of legitimate email templates, such as OneDrive file share notifications. In this case, the group used newly created email addresses intended to impersonate a trusted sender so the recipient would be more likely to open the phishing email. The email would contain a link to a modified PDF or DOCX file hosted on a cloud storage service, ultimately leading to the Evilginx phishing kit. This allowed the attackers to execute a man-in-the-middle attack capable of bypassing Multi-Factor Authentication.
The DOJ announced the seizure of 41 Internet domains and additional proxies used by the Russian threat actor, while a coordinated civil action from Microsoft restrained 66 additional domains used by the threat actor.
The domains were used by the threat actor to run spear phishing attacks to compromise targeted systems or e-mail boxes, for cyberespionage purposes.
Star Blizzard is expected to quickly rebuild an infrastructure for its fraudulent activities. However, Microsoft reports that the disruption operation impacts the threat actor's activities at a critical moment, when foreign interference in U.S. democratic processes are at their highest. It will also enable Microsoft to disrupt any new infrastructure faster through an existing court proceeding.
To avoid Star Blizzard, reports suggest that organizations should:
The threat actor's phishing emails appear to be from known contacts that users or organizations expect to receive email from. The sender address could be from any free email provider, but special attention should be paid to emails received from Proton account senders, as the threat actor has often used that email provider in the past.
Should doubt arise, users should not click on a link. Instead, they should report the suspicious email to their IT or security staff for analysis. To achieve this, users should be educated and trained to detect spear phishing attempts.