Russian FSB accused of spear-phishing campaign against UK, US and allies

The Russia-based actor Star Blizzard (formerly known as SEABORGIUM) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK and US, as well as other geographical areas of interest, for information-gathering activity. That’s according to an international cyber security advisory from multiple governments which states that Star Blizzard (also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.

Star Blizzard has targeted sectors including academia, governmental organizations, NGOs, think tanks and politicians since 2019. Targets in the UK and US appear to have been most affected by Star Blizzard activity, however activity has also been observed against targets in other NATO countries and neighboring Russia, the advisory read. More recently, Star Blizzard activity appeared to expand further to include defense-industrial targets, as well as US Department of Energy facilities.

The UK Foreign Office has summoned the Russian ambassador and sanctioned a Russian intelligence officer along with a second member of the Star Blizzard group, according to Sky News. The UK government said the malicious cyber activity is an attempt to interfere in UK politics and democratic processes.

Star Blizzard conducts reconnaissance and impersonates contacts of their targets

Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, Star Blizzard identifies hooks to engage targets, the advisory stated. “They take the time to research their interests and identify their real-world social or professional contacts.”

The threat actor creates email accounts impersonating known contacts of their targets to help appear legitimate. “They also create fake social media or networking profiles that impersonate respected experts and have used supposed conference or event invitations as lures.” Star Blizzard uses webmail addresses from different providers including Outlook, Gmail, Yahoo and Proton mail in their initial approach.

Personal email addresses targeted with spear-phishing

Star Blizzard has predominantly sent spear-phishing emails to targets’ personal email addresses, although they have also used targets’ corporate or business email addresses, the government said. “The actors may intentionally use personal emails to circumvent security controls in place on corporate networks.”

Having researched their targets’ interests and contacts to create a believable approach, Star Blizzard then starts to build trust with potential victims. “They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport.”

Once trust is established, the attacker uses typical phishing tradecraft and shares a link, apparently to a document or website of interest. This leads the target to an actor-controlled server, prompting the target to enter account credentials. “The malicious link may be a URL in an email message, or the actor may embed a link in a document on OneDrive, Google Drive or other file-sharing platforms.”

Threat actor uses open-source framework to harvest credentials and session cookies

Star Blizzard uses the open-source framework EvilGinx to harvest credentials and session cookies, successfully bypassing the use of two-factor authentication (2FA). Once the target clicks on the malicious URL, they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service. Any credentials entered at this point are now compromised.

“Star Blizzard then uses the stolen credentials to log in to a target’s email account, where they are known to access and steal emails and attachments from the victim’s inbox. They have also set up mail-forwarding rules, giving them ongoing visibility of victim correspondence.”

Furthermore, the actor has used their access to a victim email account to access mailing-list data and a victim’s contacts list, which they then use for follow-on targeting. They have also used compromised email accounts for further phishing activity.

A number of mitigations will be useful in defending against the activity, the advisory stated. These include:

• Using multi-factor authentication (MFA) to reduce the impact of password compromises.
• Protecting devices and networks by keeping them up to date.
• Enabling email providers’ automated email scanning features.
• Disabling mail-forwarding.

Revelations of Russian state-sponsored activity are no surprise

The revelations detailing alleged Russian state-sponsored attempts to influence democratic processes should come as no surprise, commented Chris Morgan, senior cyber threat intelligence analyst at cyber security firm ReliaQuest. “For several years, multiple Western countries have accused Russia of attempting to conduct espionage against its adversaries, sowing disinformation and otherwise seeking to undermine democratic processes. Such covert activities also allow Russia to extract sensitive information, maintain persistence within systems of organizations of strategic interest and obtain intelligence to guide Russian foreign policy.”

The attribution to StarBlizzard is also not unexpected, Morgan said. “The group has previously used domain impersonation to facilitate theft of credentials, while regularly rotating their infrastructure to avoid detection. Despite being agile and sophisticated, such APT groups continue to use rudimentary techniques – largely because they work.”