Star Blizzard
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| Callisto Group | (Citation: CISA Star Blizzard Advisory December 2023) |
| TA446 | (Citation: CISA Star Blizzard Advisory December 2023) |
| COLDRIVER | (Citation: Google TAG COLDRIVER January 2024) |
| SEABORGIUM | (Citation: Microsoft Star Blizzard August 2022) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Star Blizzard has registered domains using randomized words and with names resembling legitimate organizations.(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard) |
| Enterprise | T1059 | .007 | Command and Scripting Interpreter: JavaScript |
Star Blizzard has used JavaScript to redirect victim traffic from an adversary controlled server to a server hosting the Evilginx phishing framework.(Citation: StarBlizzard) |
| Enterprise | T1586 | .002 | Compromise Accounts: Email Accounts |
Star Blizzard has used compromised email accounts to conduct spearphishing against contacts of the original victim.(Citation: CISA Star Blizzard Advisory December 2023) |
| Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
Star Blizzard has remotely accessed victims' email accounts to steal messages and attachments.(Citation: CISA Star Blizzard Advisory December 2023) |
| .003 | Email Collection: Email Forwarding Rule |
Star Blizzard has abused email forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access after compromised credentials are reset.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023) |
||
| Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
Star Blizzard has established fraudulent profiles on professional networking sites to conduct reconnaissance.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023) |
| .002 | Establish Accounts: Email Accounts |
Star Blizzard has registered impersonation email accounts to spoof experts in a particular field or individuals and organizations affiliated with the intended target.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: Google TAG COLDRIVER January 2024) |
||
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Star Blizzard has incorporated the open-source EvilGinx framework into their spearphishing activity.(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Star Blizzard has sent emails with malicious .pdf files to spread malware.(Citation: Google TAG COLDRIVER January 2024) |
| Enterprise | T1598 | .002 | Phishing for Information: Spearphishing Attachment |
Star Blizzard has sent emails to establish rapport with targets eventually sending messages with attachments containing links to credential-stealing sites.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard)(Citation: Google TAG COLDRIVER January 2024) |
| .003 | Phishing for Information: Spearphishing Link |
Star Blizzard has sent emails to establish rapport with targets eventually sending messages with links to credential-stealing sites.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard)(Citation: Google TAG COLDRIVER January 2024) |
||
| Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
Star Blizzard has uploaded malicious payloads to cloud storage sites.(Citation: Google TAG COLDRIVER January 2024) |
| Enterprise | T1550 | .004 | Use Alternate Authentication Material: Web Session Cookie |
Star Blizzard has bypassed multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx.(Citation: CISA Star Blizzard Advisory December 2023) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Star Blizzard has lured targets into opening malicious .pdf files to deliver malware.(Citation: Google TAG COLDRIVER January 2024) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S1140 | Spica | (Citation: Google TAG COLDRIVER January 2024) | PowerShell, Ingress Tool Transfer, Archive Collected Data, File and Directory Discovery, Steal Web Session Cookie, Scheduled Task, Masquerade Task or Service, Non-Application Layer Protocol, Deobfuscate/Decode Files or Information |
References
- CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.
- Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.
- Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
- Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM’s ongoing phishing operations. Retrieved June 13, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.