Unveiling the Tactics of Russian FSB Cyber Actor Star Blizzard

Introduction

In the fast-evolving landscape of cybersecurity threats, BroCoTec, a Houston-based Managed Service Provider (MSP), remains at the forefront of safeguarding organizations against potential risks. In a recent advisory issued on December 7, 2023, the UK National Cyber Security Centre (NCSC) revealed the ongoing activities of the Russian FSB cyber actor Star Blizzard, shedding light on its worldwide spear-phishing campaigns. This blog post delves into the details provided in the advisory, offering insights into Star Blizzard's tactics and emphasizing the importance of proactive cybersecurity measures.

Overview of Star Blizzard's Activities

Star Blizzard, previously known by various aliases such as SEABORGIUM, Callisto Group, TA446, COLDRIVER, TAG-53, and BlueCharlie, has persistently utilized spear-phishing attacks to gather information from targeted organizations and individuals. The advisory highlights that the actor is actively targeting entities in the UK and other areas of geopolitical interest.

Collaborative Assessment by Security Agencies

The NCSC, along with prominent security agencies such as the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, NSA, Cyber National Mission Force (CNMF), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ), assesses that Star Blizzard is likely affiliated with the Russian Federal Security Service (FSB) Centre 18.

Targeting Profile and Sectors

Since 2019, Star Blizzard has targeted a range of sectors, including academia, defense, governmental organizations, non-governmental organizations (NGOs), think tanks, and politicians. While the UK and US have witnessed the highest impact, the actor has also directed its activities toward other NATO countries and those neighboring Russia. Notably, the scope expanded in 2022 to include defense-industrial targets and US Department of Energy facilities.

Spear-Phishing Techniques

Star Blizzard employs sophisticated spear-phishing techniques, combining research and reconnaissance to tailor attacks to specific individuals or groups. The actor extensively uses open-source resources, including social media and professional networking platforms, to identify targets and gather information.

The actor creates fake email accounts impersonating known contacts, as well as fraudulent social media profiles resembling respected experts. Webmail addresses from various providers, such as Outlook, Gmail, Yahoo, and Proton mail, are utilized in the initial approach, often with domains resembling legitimate organizations to appear authentic.

Building Trust and Delivery of Malicious Links

After researching targets' interests and contacts, Star Blizzard initiates contact to build trust. This involves benign conversations over an extended period. Once trust is established, the actor shares a malicious link, typically disguised as a document or website of interest. The link directs the target to an actor-controlled server, prompting them to enter account credentials.

Exploitation and Further Activity

Upon clicking the malicious link, the target's credentials are compromised. Star Blizzard then uses stolen credentials to access and steal emails and attachments from the victim's inbox. The actor may also set up mail-forwarding rules, maintaining ongoing visibility of victim correspondence.

Mitigation Strategies by BroCoTec

In light of these evolving cyber threats, BroCoTec recommends several mitigation strategies to defend against spear-phishing activities:

1. **Use Strong Passwords:** Employ strong and unique passwords, especially for email accounts. Avoid password reuse across multiple services.

2. **Implement Multi-Factor Authentication (MFA):** Enhance security by implementing MFA to reduce the impact of password compromises.

3. **Keep Devices and Networks Updated:** Regularly update devices and networks with the latest security patches and use anti-virus software to guard against known threats.

4. **Exercise Vigilance:** Be cautious of spear-phishing emails, scrutinizing sender addresses and email content for authenticity.

5. **Enable Automated Email Scanning:** Utilize email providers' automated scanning features to detect and block phishing attempts.

6. **Disable Mail-Forwarding:** If possible, disable mail-forwarding to prevent attackers from maintaining visibility of target emails.

Conclusion

As Star Blizzard continues its spear-phishing campaigns globally, organizations must remain vigilant and adopt proactive cybersecurity measures. BroCoTec stands ready to assist businesses in fortifying their defenses against evolving cyber threats. By implementing the recommended mitigation strategies, organizations can bolster their resilience and minimize the risks associated with spear-phishing attacks.