Fort George G. Meade, MD -- U.S. Cyber Command’s Cyber National Mission Force, alongside interagency and foreign partners, issued a joint Cybersecurity Advisory highlighting advanced spear-phishing campaigns and tactics and techniques from the Russia-based malicious cyber actor Star Blizzard (formerly known as SEABORGIUM; also known as Callisto Group, TA446, COLDRIVER, TAG-53, and/or BlueCharlie).
The United Kingdom’s National Cyber Security Centre, joined by the Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre, and U.S. government interagency partners at the Cybersecurity and Infrastructure Security Agency, FBI, the National Security Agency, and CNMF, released the joint CSA, “Russia FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns,” Dec. 7, to raise public awareness of the specific and targeted spearphishing techniques used by Star Blizzard to target individuals and organizations.
Since 2019, the group, linked to Russian Federal Security Service Center 18, has targeted sectors including academia, defense, governmental organizations, non-governmental organizations, think tanks, and high-profile individuals. Targets in the U.K. and U.S. appear to have been most affected; however, their activities have also been observed against targets in various NATO countries and countries neighboring Russia.
Star Blizzard is known to use open-source resources to conduct reconnaissance, including social media and professional networking platforms, hooking their targets, building trust, and ultimately attempting to gain access to their targets’ email accounts. Once they gain access, Star Blizzard is known to set up mail forwarding rules, granting ongoing visibility of a victim’s correspondence and contact lists, utilizing this information and accesses for follow-on targeting and phishing activities.
Although spear-phishing is an established technique used by many actors, Star Blizzard has successfully evolved their use and technique to maintain this capability. Individuals and organizations from previously targeted sectors should be vigilant of the techniques above.
For more information on the group’s tactics and techniques, as well as mitigation actions, read the full report here.