1. Home
  2. Groups
  3. Star Blizzard

Star Blizzard

Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.[1][2][3][4]

ID: G1033
Associated Groups: SEABORGIUM, Callisto Group, TA446, COLDRIVER
Contributors: Aung Kyaw Min Naing, @Nolan
Version: 1.0
Created: 14 June 2024
Last Modified: 14 June 2024
Version Permalink

Associated Group Descriptions

Name Description
SEABORGIUM

[1]
Callisto Group

[2]
TA446

[2]
COLDRIVER

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 Acquire Infrastructure

Star Blizzard has used HubSpot and MailerLite marketing platform services to hide the true sender of phishing emails.[3]

.001 Domains

Star Blizzard has registered domains using randomized words and with names resembling legitimate organizations.[2][3]

Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

Star Blizzard has used JavaScript to redirect victim traffic from an adversary controlled server to a server hosting the Evilginx phishing framework.[3]

Enterprise T1586 .002 Compromise Accounts: Email Accounts

Star Blizzard has used compromised email accounts to conduct spearphishing against contacts of the original victim.[2]
Enterprise T1114 .002 Email Collection: Remote Email Collection

Star Blizzard has remotely accessed victims' email accounts to steal messages and attachments.[2]
.003 Email Collection: Email Forwarding Rule

Star Blizzard has abused email forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access after compromised credentials are reset.[1][2]
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Star Blizzard has established fraudulent profiles on professional networking sites to conduct reconnaissance.[1][2]
.002 Establish Accounts: Email Accounts

Star Blizzard has registered impersonation email accounts to spoof experts in a particular field or individuals and organizations affiliated with the intended target.[1][2][4]
Enterprise T1589 Gather Victim Identity Information

Star Blizzard has identified ways to engage targets by researching potential victims' interests and social or professional contacts.[2]
Enterprise T1588 .002 Obtain Capabilities: Tool

Star Blizzard has incorporated the open-source EvilGinx framework into their spearphishing activity.[2][3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Star Blizzard has sent emails with malicious .pdf files to spread malware.[4]
Enterprise T1598 .002 Phishing for Information: Spearphishing Attachment

Star Blizzard has sent emails to establish rapport with targets eventually sending messages with attachments containing links to credential-stealing sites.[1][2][3][4]
.003 Phishing for Information: Spearphishing Link

Star Blizzard has sent emails to establish rapport with targets eventually sending messages with links to credential-stealing sites.[1][2][3][4]
Enterprise T1593 Search Open Websites/Domains

Star Blizzard has used open-source research to identify information about victims to use in targeting.[1][2]
Enterprise T1608 .001 Stage Capabilities: Upload Malware

Star Blizzard has uploaded malicious payloads to cloud storage sites.[4]
Enterprise T1539 Steal Web Session Cookie

Star Blizzard has used EvilGinx to steal the session cookies of victims directed to phishing domains.[2]
Enterprise T1550 .004 Use Alternate Authentication Material: Web Session Cookie

Star Blizzard has bypassed multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx.[2]
Enterprise T1204 .002 User Execution: Malicious File

Star Blizzard has lured targets into opening malicious .pdf files to deliver malware.[4]
Enterprise T1078 Valid Accounts

Star Blizzard has used stolen credentials to sign into victim email accounts.[1][2]

Software

ID Name References Techniques
S1140 Spica [4] Archive Collected Data, Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, File and Directory Discovery, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Non-Application Layer Protocol, Scheduled Task/Job: Scheduled Task, Steal Web Session Cookie

References

  1. Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM’s ongoing phishing operations. Retrieved June 13, 2024.
  2. CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.
  1. Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.
  2. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.