New reports from both Microsoft’s Digital Crimes Unit and the U.S. Department of Justice expose a disruptive operation against more than 100 servers used by “Star Blizzard” — a Russian-based cyber threat actor specializing in compromising email boxes to exfiltrate sensitive content or interfere with the target’s activities.

Who is Star Blizzard?

Star Blizzard is also known as Seaborgium, Callisto Group, TA446, Coldriver, TAG-53 or BlueCharlie. According to various government entities around the globe, Star Blizzard is subordinate to the Russian Federal Security Service (FSB) Centre 18.

The threat actor has been active since at least late 2015, according to a report from cybersecurity company F-Secure. The report indicated the group targeted military personnel, government officials, and think tanks and journalists in Europe and the South Caucasus, with a primary interest of gathering intelligence related to foreign and security policy in those regions.

According to reports:

  • Since 2019, Star Blizzard has targeted the defense and governmental organizations in the U.S. as well as other areas such as the academic sector or different NGOs and politicians.
  • In 2022, the group expanded and started targeting defense-industrial targets as well as US Department of Energy facilities.
  • Since January 2023, Microsoft has identified 82 different targets for the threat actor, at a rate of approximately one attack per week.

SEE: How to Create an Effective Cybersecurity Awareness Program (TechRepublic Premium)

Modus opérandi

Star Blizzard is known for setting up infrastructure to launch spear phishing attacks, often targeting the personal email accounts of selected targets. These accounts typically have weaker security protections than professional email accounts.

As stated by Microsoft’s Assistant General Counsel Steven Masada in a press release: “Star Blizzard is persistent. They meticulously study their targets and pose as trusted contacts to achieve their goals.”

Sample spear phishing email.
Sample spear phishing email. Image: Microsoft

Once infrastructure is exploited, the threat actor can quickly switch to new infrastructure, rendering it difficult for defenders to detect and block the used domains or IP addresses. In particular, the group uses multiple registrars to register domain names and leverage multiple link-shortening services to redirect users to phishing pages operated using the infamous Evilginx phishing kit. The group also uses open redirectors from legitimate websites.

Redirection chain using several redirectors and link-shortening services.
Redirection chain using several redirectors and link-shortening services. Image: Microsoft

The threat actor has also used altered versions of legitimate email templates, such as OneDrive file share notifications. In this case, the group used newly created email addresses intended to impersonate a trusted sender so the recipient would be more likely to open the phishing email. The email would contain a link to a modified PDF or DOCX file hosted on a cloud storage service, ultimately leading to the Evilginx phishing kit. This allowed the attackers to execute a man-in-the-middle attack capable of bypassing Multi-Factor Authentication.

Massive disruption

The DOJ announced the seizure of 41 Internet domains and additional proxies used by the Russian threat actor, while a coordinated civil action from Microsoft restrained 66 additional domains used by the threat actor.

The domains were used by the threat actor to run spear phishing attacks to compromise targeted systems or e-mail boxes, for cyberespionage purposes.

Star Blizzard is expected to quickly rebuild an infrastructure for its fraudulent activities. However, Microsoft reports that the disruption operation impacts the threat actor’s activities at a critical moment, when foreign interference in U.S. democratic processes are at their highest. It will also enable Microsoft to disrupt any new infrastructure faster through an existing court proceeding.

Want protection from this threat? Educate and train your staff.

To avoid Star Blizzard, reports suggest that organizations should:

The threat actor’s phishing emails appear to be from known contacts that users or organizations expect to receive email from. The sender address could be from any free email provider, but special attention should be paid to emails received from Proton account senders, as the threat actor has often used that email provider in the past.

Should doubt arise, users should not click on a link. Instead, they should report the suspicious email to their IT or security staff for analysis. To achieve this, users should be educated and trained to detect spear phishing attempts.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Microsoft Weekly Newsletter

Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays

Subscribe to the Microsoft Weekly Newsletter

Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays