Star Blizzard
Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.[1][2][3][4]
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1550 | .004 | 使用备用认证材料: Web Session Cookie |
Star Blizzard has bypassed multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx.[2] |
| Enterprise | T1598 | .002 | 信息钓鱼: Spearphishing Attachment |
Star Blizzard has sent emails to establish rapport with targets eventually sending messages with attachments containing links to credential-stealing sites.[1][2][3][4] |
| .003 | 信息钓鱼: Spearphishing Link |
Star Blizzard has sent emails to establish rapport with targets eventually sending messages with links to credential-stealing sites.[1][2][3][4] |
||
| Enterprise | T1059 | .007 | 命令与脚本解释器: JavaScript |
Star Blizzard has used JavaScript to redirect victim traffic from an adversary controlled server to a server hosting the Evilginx phishing framework.[3] |
| Enterprise | T1585 | .001 | 建立账户: Social Media Accounts |
Star Blizzard has established fraudulent profiles on professional networking sites to conduct reconnaissance.[1][2] |
| .002 | 建立账户: Email Accounts |
Star Blizzard has registered impersonation email accounts to spoof experts in a particular field or individuals and organizations affiliated with the intended target.[1][2][4] |
||
| Enterprise | T1593 | 搜索开放网站/域 |
Star Blizzard has used open-source research to identify information about victims to use in targeting.[1][2] |
|
| Enterprise | T1589 | 收集受害者身份信息 |
Star Blizzard has identified ways to engage targets by researching potential victims' interests and social or professional contacts.[2] |
|
| Enterprise | T1608 | .001 | 暂存能力: Upload Malware |
Star Blizzard has uploaded malicious payloads to cloud storage sites.[4] |
| Enterprise | T1078 | 有效账户 |
Star Blizzard has used stolen credentials to sign into victim email accounts.[1][2] |
|
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Star Blizzard has lured targets into opening malicious .pdf files to deliver malware.[4] |
| Enterprise | T1114 | .002 | 电子邮件收集: Remote Email Collection |
Star Blizzard has remotely accessed victims' email accounts to steal messages and attachments.[2] |
| .003 | 电子邮件收集: Email Forwarding Rule |
Star Blizzard has abused email forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access after compromised credentials are reset.[1][2] |
||
| Enterprise | T1539 | 窃取Web会话Cookie |
Star Blizzard has used EvilGinx to steal the session cookies of victims directed to phishing domains.[2] |
|
| Enterprise | T1583 | 获取基础设施 |
Star Blizzard has used HubSpot and MailerLite marketing platform services to hide the true sender of phishing emails.[3] |
|
| .001 | Domains |
Star Blizzard has registered domains using randomized words and with names resembling legitimate organizations.[2][3] |
||
| Enterprise | T1588 | .002 | 获取能力: Tool |
Star Blizzard has incorporated the open-source EvilGinx framework into their spearphishing activity.[2][3] |
| Enterprise | T1586 | .002 | 账号妥协: Email Accounts |
Star Blizzard has used compromised email accounts to conduct spearphishing against contacts of the original victim.[2] |
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Star Blizzard has sent emails with malicious .pdf files to spread malware.[4] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S1140 | Spica | [4] | 伪装: Masquerade Task or Service, 反混淆/解码文件或信息, 命令与脚本解释器: PowerShell, 归档收集数据, 文件和目录发现, 窃取Web会话Cookie, 输入工具传输, 非应用层协议, 预定任务/作业: Scheduled Task |
References
- Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.
- Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.