The COLDRIVER threat actor is up to its old tricks, continuing its credential theft spree against targets strategically significant to Russia. Microsoft’s Threat Intelligence team is on its tail, tracking this mischief under the alias Star Blizzard (formerly SEABORGIUM), also known as Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), and TA446.
These digital troublemakers persistently go after individuals and organizations involved in international affairs, defense, logistics support to Ukraine, academia, information security companies, and anything else aligning with Russian state interests, according to the folks in Redmond.
Star Blizzard, reportedly linked to Russia’s Federal Security Service (FSB), has been setting up lookalike domains since at least 2017. In August 2023, Recorded Future uncovered 94 new domains in the threat actor’s arsenal, featuring keywords related to information technology and cryptocurrency.
Microsoft noticed the adversary’s crafty move away from hCaptcha for target selection, opting for server-side scripts to block automated scans. This switch started in April 2023, and now, the Evilginx server takes the reins of the browsing session after determining targets of interest.
The server-side JavaScript code does some detective work, checking for browser plugins, detecting automation tools like Selenium or PhantomJS, and relaying the findings back to the server. Microsoft explained that, based on the collected data, the redirector server decides whether to allow continued browser redirection. When all’s well, the browser gets a green light to proceed to the next stage, be it an hCaptcha or a direct route to the Evilginx server.
Star Blizzard has also added email marketing services like HubSpot and MailerLite to its arsenal, crafting campaigns that kick off the redirection chain leading to the Evilginx server, where it harvests credentials.
But that’s not all. The threat actor has gotten savvy with domain name services (DNS), using them to resolve actor-registered domains, sending password-protected PDF lures with embedded links to sidestep email security, and hosting files on Proton Drive.
Keeping tabs on public reports, Star Blizzard upgraded its domain generation algorithm (DGA) to include a more randomized list of words when naming domains. Despite these changes, Microsoft notes that Star Blizzard remains laser-focused on email credential theft, with cloud-based email providers as their primary target.
Across the pond, the U.K. has had enough and called out Star Blizzard for its meddling in U.K. political processes. The government sanctioned two members of the hacking crew, Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets (aka Alexey Doguzhiev), for their involvement in spear-phishing campaigns that resulted in unauthorized access and data exfiltration, aiming to undermine U.K. organizations and the government at large.