www.cisa.gov Open in urlscan Pro
2a02:26f0:3500:88d::447a  Public Scan

URL: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a
Submission: On December 22 via api from IN — Scanned from DE

Form analysis 2 forms found in the DOM

<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
  <table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
    <tbody>
      <tr>
        <td class="gsc-input">
          <div class="gsc-input-box" id="gsc-iw-id1">
            <table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
              <tbody>
                <tr>
                  <td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
                      style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
                  <td class="gsib_b">
                    <div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
                  </td>
                </tr>
              </tbody>
            </table>
          </div>
        </td>
        <td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
              <title>search</title>
              <path
                d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
              </path>
            </svg></button></td>
        <td class="gsc-clear-button">
          <div class="gsc-clear-button" title="clear results">&nbsp;</div>
        </td>
      </tr>
    </tbody>
  </table>
</form>

<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
  <table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
    <tbody>
      <tr>
        <td class="gsc-input">
          <div class="gsc-input-box" id="gsc-iw-id2">
            <table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
              <tbody>
                <tr>
                  <td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
                      style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
                  <td class="gsib_b">
                    <div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
                  </td>
                </tr>
              </tbody>
            </table>
          </div>
        </td>
        <td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
              <title>search</title>
              <path
                d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
              </path>
            </svg></button></td>
        <td class="gsc-clear-button">
          <div class="gsc-clear-button" title="clear results">&nbsp;</div>
        </td>
      </tr>
    </tbody>
  </table>
</form>

Text Content

Skip to main content

An official website of the United States government

Here’s how you know

Here’s how you know

Official websites use .gov
A .gov website belongs to an official government organization in the United
States.

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.


Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

×

search
 

Menu
Close
×

search
 

 * Topics
   Topics
   Cybersecurity Best Practices
   Cyber Threats and Advisories
   Critical Infrastructure Security and Resilience
   Election Security
   Emergency Communications
   Industrial Control Systems
   Information and Communications Technology Supply Chain Security
   Partnerships and Collaboration
   Physical Security
   Risk Management
   How can we help?
   GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
   TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
   LocallyFaith-Based CommunityExecutives
 * Spotlight
 * Resources & Tools
   Resources & Tools
   All Resources & Tools
   Services
   Programs
   Resources
   Training
   Groups
 * News & Events
   News & Events
   News
   Events
   Cybersecurity Alerts & Advisories
   Directives
   Request a CISA Speaker
   Congressional Testimony
 * Careers
   Careers
   Benefits & Perks
   HireVue Applicant Reasonable Accommodations Process
   Hiring
   Resume & Application Tips
   Students & Recent Graduates
   Veteran and Military Spouses
   Work @ CISA
 * About
   About
   Culture
   Divisions & Offices
   Regions
   Leadership
   Doing Business with CISA
   Site Links
   Reporting Employee and Contractor Misconduct
   CISA GitHub
   Contact Us

Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
 1. Home
 2. News & Events
 3. Cybersecurity Advisories
 4. Cybersecurity Advisory

Share:


Cybersecurity Advisory


RUSSIAN FSB CYBER ACTOR STAR BLIZZARD CONTINUES WORLDWIDE SPEAR-PHISHING
CAMPAIGNS

Release Date
December 07, 2023
Alert Code
AA23-341A
Related topics:
Advanced Persistent Threats and Nation-State Actors, Cyber Threats and
Advisories, Malware, Phishing, and Ransomware


THE RUSSIA-BASED ACTOR IS TARGETING ORGANIZATIONS AND INDIVIDUALS IN THE UK AND
OTHER GEOGRAPHICAL AREAS OF INTEREST.


OVERVIEW

The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known
as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully
use spear-phishing attacks against targeted organizations and individuals in the
UK, and other geographical areas of interest, for information-gathering
activity.

The UK National Cyber Security Centre (NCSC), the US Cybersecurity and
Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation
(FBI), the US National Security Agency (NSA), the US Cyber National Mission
Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security
Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New
Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is
almost certainly subordinate to the Russian Federal Security Service (FSB)
Centre 18.

Industry has previously published details of Star Blizzard. This advisory draws
on that body of information(link is external).

This advisory raises awareness of the spear-phishing techniques Star Blizzard
uses to target individuals and organizations. This activity is continuing
through 2023.

To download a PDF version of this advisory, see Russian FSB Cyber Actor Star
Blizzard Continues Worldwide Spear-phishing Campaigns(link is external).


TARGETING PROFILE

Since 2019, Star Blizzard has targeted sectors including academia, defense,
governmental organizations, NGOs, think tanks and politicians.

Targets in the UK and US appear to have been most affected by Star Blizzard
activity, however activity has also been observed against targets in other NATO
countries, and countries neighboring Russia.

During 2022, Star Blizzard activity appeared to expand further, to include
defense-industrial targets, as well as US Department of Energy facilities.


OUTLINE OF THE ATTACKS

The activity is typical of spear-phishing campaigns, where an actor targets a
specific individual or group using information known to be of interest to the
targets. In a spear-phishing campaign, an actor perceives their target to have
direct access to information of interest, be an access vector to another target,
or both.

RESEARCH AND PREPARATION

Using open-source resources to conduct reconnaissance, including social media
and professional networking platforms, Star Blizzard identifies hooks to engage
their target. They take the time to research their interests and identify their
real-world social or professional contacts [T1589(link is external)],
[T1593(link is external)].

Star Blizzard creates email accounts impersonating known contacts of their
targets to help appear legitimate. They also create fake social media or
networking profiles that impersonate respected experts [T1585.001(link is
external)] and have used supposed conference or event invitations as lures.

Star Blizzard uses webmail addresses from different providers, including
Outlook, Gmail, Yahoo and Proton mail in their initial approach [T1585.002(link
is external)], impersonating known contacts of the target or well-known names in
the target’s field of interest or sector.

To appear authentic, the actor also creates malicious domains resembling
legitimate organizations [T1583.001(link is external)].

Microsoft Threat Intelligence Center (MSTIC) provides a list of observed
Indicators of Compromise (IOCs) in their SEABORGIUM blog, but this is not
exhaustive.

PREFERENCE FOR PERSONAL EMAIL ADDRESSES

Star Blizzard has predominantly sent spear-phishing emails to targets’ personal
email addresses, although they have also used targets’ corporate or business
email addresses. The actors may intentionally use personal emails to circumvent
security controls in place on corporate networks.

BUILDING A RAPPORT

Having taken the time to research their targets’ interests and contacts to
create a believable approach, Star Blizzard now starts to build trust. They
often begin by establishing benign contact on a topic they hope will engage
their targets. There is often some correspondence between attacker and target,
sometimes over an extended period, as the attacker builds rapport.

DELIVERY OF MALICIOUS LINK

Once trust is established, the attacker uses typical phishing tradecraft and
shares a link [T1566.002(link is external)], apparently to a document or website
of interest. This leads the target to an actor-controlled server, prompting the
target to enter account credentials.

The malicious link may be a URL in an email message, or the actor may embed a
link in a document [T1566.001(link is external)] on OneDrive, Google Drive, or
other file-sharing platforms(link is external).

Star Blizzard uses the open-source framework EvilGinx in their spear- phishing
activity, which allows them to harvest credentials and session cookies to
successfully bypass the use of two-factor authentication [T1539(link is
external)], [T1550.004(link is external)].

EXPLOITATION AND FURTHER ACTIVITY

Whichever delivery method is used, once the target clicks on the malicious URL,
they are directed to an actor-controlled server that mirrors the sign-in page
for a legitimate service. Any credentials entered at this point are now
compromised.

Star Blizzard then uses the stolen credentials to log in to a target’s email
account [T1078(link is external)], where they are known to access and steal
emails and attachments from the victim’s inbox [T1114.002(link is external)].
They have also set up mail- forwarding rules, giving them ongoing visibility of
victim correspondence [T1114.003(link is external)].

The actor has also used their access to a victim email account to access
mailing-list data and a victim’s contacts list, which they then use for follow-
on targeting. They have also used compromised email accounts for further
phishing activity [T1586.002(link is external)].


CONCLUSION

Spear-phishing is an established technique used by many actors, and Star
Blizzard uses it successfully, evolving the technique to maintain their success.

Individuals and organizations from previously targeted sectors should be
vigilant of the techniques described in this advisory.

In the UK you can report related suspicious activity to the NCSC(link is
external).

Information on effective defense against spear-phishing is included in the
Mitigations section below.


MITRE ATT&CK®

This report has been compiled with respect to the MITRE ATT&CK®(link is
external) framework, a globally accessible knowledge base of adversary tactics
and techniques based on real-world observations.

Tactic

ID

Technique

Procedure

Reconnaissance

T1593(link is external)

Search Open Websites/Domains

Star Blizzard uses open-source research and social media to identify information
about victims to use in targeting.

Reconnaissance

T1589(link is external)

Gather Victim Identity Information

Star Blizzard uses online data sets and open-source resources to gather
information about their targets.

Resource Development

T1585.001(link is external)

Establish Accounts: Social Media Accounts

Star Blizzard has been observed establishing fraudulent profiles on professional
networking sites to conduct reconnaissance.

Resource Development

T1585.002(link is external)

Establish Accounts: Email Accounts

Star Blizzard registers consumer email accounts matching the names of
individuals they are impersonating to conduct spear-phishing activity.

Resource Development

T1583.001(link is external)

Acquire Infrastructure: Domains

Star Blizzard registers domains to host their phishing framework.

Resource Development

T1586.002(link is external)

Compromise Accounts: Email Accounts

Star Blizzard has been observed using compromised victim email accounts to
conduct spear-phishing activity against contacts of the original victim.

Initial Access

T1078(link is external)

Valid Accounts

Star Blizzard uses compromised credentials, captured from fake log- in pages, to
log in to valid victim user accounts.

Initial Access

T1566.001(link is external)

Phishing: Spear-phishing Attachment

Star Blizzard uses malicious links embedded in email attachments to direct
victims to their credential-stealing sites.

Initial Access

T1566.002(link is external)

Phishing: Spear-phishing Link

Star Blizzard sends spear-phishing emails with malicious links directly to
credential-stealing sites, or to documents hosted on a file-sharing site, which
then direct victims to credential-stealing sites.

Defense Evasion

T1550.004(link is external)

Use Alternate Authentication Material: Web Session Cookie

Star Blizzard bypasses multi-factor authentication on victim email accounts by
using session cookies stolen using EvilGinx.

Credential Access

T1539(link is external)

Steal Web Session Cookie

Star Blizzard uses EvilGinx to steal the session cookies of victims directed to
their fake log-in domains.

Collection

T1114.002(link is external)

Email Collection: Remote Email Collection

Star Blizzard interacts directly with externally facing Exchange services,
Office 365 and Google Workspace to access email and steal information using
compromised credentials or access tokens.

Collection

T1114.003(link is external)

Email Collection: Email Forwarding Rule

Star Blizzard abuses email- forwarding rules to monitor the activities of a
victim, steal information, and maintain persistent access to victim's emails,
even after compromised credentials are reset.


MITIGATIONS

A number of mitigations will be useful in defending against the activity
described in this advisory.

 * Use strong passwords. Use a separate password for email accounts and avoid
   password re-use across multiple services. See NCSC guidance: Top Tips for
   Staying Secure Online(link is external).
 * Use multi-factor authentication (2-factor authentication/two-step
   authentication) to reduce the impact of password compromises. See NCSC
   guidance: Multi-factor Authentication for Online Services(link is
   external) and Setting Up 2-Step Verification (2SV)(link is external).
 * Protect your devices and networks by keeping them up to date: Use the latest
   supported versions, apply security updates promptly, use anti-virus and scan
   regularly to guard against known malware threats. See NCSC guidance: Device
   Security Guidance(link is external).
 * Exercise vigilance. Spear-phishing emails are tailored to avoid suspicion.
   You may recognize the sender’s name, but has the email come from an address
   that you recognize? Would you expect contact from this person’s webmail
   address rather than their corporate email address? Has the suspicious email
   come to your personal/webmail address rather than your corporate one? Can you
   verify that the email is legitimate via another means? See NCSC
   guidance: Phishing attacks: Defending Your Organization(link is external) and
   Internet Crime Complaint Center(IC3) | Industry Alerts.
 * Enable your email providers’ automated email scanning features. These are
   turned on by default for consumer mail providers. See NCSC guidance: Telling
   Users to "Avoid Clicking Bad Links" Still Isn’t Working(link is external).
 * Disable mail-forwarding. Attackers have been observed to set up
   mail-forwarding rules to maintain visibility of target emails. If you cannot
   disable mail-forwarding, then monitor settings regularly to ensure that a
   forwarding rule has not been set up by an external malicious actor.


DISCLAIMER

This report draws on information derived from NCSC and industry sources. Any
NCSC findings and recommendations made have not been provided with the intention
of avoiding all risks and following the recommendations will not remove all such
risk. Ownership of information risks remains with the relevant system owner at
all times.

This information is exempt under the Freedom of Information Act 2000 (FOIA) and
may be exempt under other UK information legislation.

Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk(link sends email).

All material is UK Crown Copyright©.

This product is provided subject to this Notification and this Privacy &
Use policy.


TAGS

Topics
Advanced Persistent Threats and Nation-State Actors, Cyber Threats and
Advisories, Malware, Phishing, and Ransomware


PLEASE SHARE YOUR THOUGHTS

We recently updated our anonymous product survey; we’d welcome your feedback.


RELATED ADVISORIES

Dec 19, 2023
Cybersecurity Advisory | AA23-353A


#STOPRANSOMWARE: ALPHV BLACKCAT

Dec 18, 2023
Cybersecurity Advisory | AA23-352A


#STOPRANSOMWARE: PLAY RANSOMWARE

Dec 15, 2023
Cybersecurity Advisory | AA23-349A


ENHANCING CYBER RESILIENCE: INSIGHTS FROM THE CISA HEALTHCARE AND PUBLIC HEALTH
SECTOR RISK AND VULNERABILITY ASSESSMENT

Dec 13, 2023
Cybersecurity Advisory | AA23-347A


RUSSIAN FOREIGN INTELLIGENCE SERVICE (SVR) EXPLOITING JETBRAINS TEAMCITY CVE
GLOBALLY

Return to top
 * Topics
 * Spotlight
 * Resources & Tools
 * News & Events
 * Careers
 * About

Cybersecurity & Infrastructure Security Agency
 * Facebook
 * Twitter
 * LinkedIn
 * YouTube
 * Instagram
 * RSS

CISA Central 888-282-0870 Central@cisa.dhs.gov(link sends email)
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
 * About CISA
 * Accessibility
 * Budget and Performance
 * DHS.gov
 * FOIA Requests
 * No FEAR Act
 * Office of Inspector General
 * Privacy Policy
 * Subscribe
 * The White House
 * USA.gov
 * Website Feedback