Spear-Phishing Operations of Star Blizzard APT Group Attributed to Russian Intelligence Agency FSB
A joint report from the Five Eyes intelligence alliance, published on December 7, 2023, reveals the cyber operations of Russia's FSB “Centre 18” and its associated group, Star Blizzard (aka SEABORGIUM, Callisto Group, TA446, COLDRIVER, TAG-53, BlueCharlie) [1]. Since 2019, Star Blizzard has been spear-phishing various sectors, including academia, defense, government, NGOs, think tanks, and politicians in NATO and countries neighboring Russia [2]. Star Blizzard used EvilGinx, an open-source tool, to bypass multifactor authentication by stealing credentials and session cookies [3].
Star Blizzard creates fake email accounts and social media profiles to impersonate known contacts and respected experts as the main social engineering tactics in this campaign. They lure victims with fake event invitations and then use phishing links to capture account credentials by exfiltrating them through actor-controlled servers.
Once they obtain credentials, Star Blizzard accesses victims' email accounts remotely to steal emails and attachments, set up mail-forwarding rules for ongoing surveillance, and use the compromised accounts for further phishing and targeting activities, such as accessing mailing lists and contact data.
Article Link: Star Blizzard Operations Linked to Russian Intelligence Agency; APT28 Targets NATO’s Rapid Response