The US cybersecurity agency CISA is leading a cross-agency push to expose a Russian government-backed APT caught launching spear-phishing campaigns against specific targets in academia, defense, governmental organizations, NGOs and think-tanks.
A joint-advisory from CISA and western law enforcement agencies identified the actor as Star Blizzard and joined with Microsoft’s threat intelligence team to expose the ongoing operation and share indicators of compromise.
The FSB-linked hacking team has been observed hitting targeted sectors in the US and UK and the agencies warn that malicious activity has also been seen in other NATO countries, and countries neighboring Russia.
“During 2022, Star Blizzard activity appeared to expand further, to include defense-industrial targets, as well as US Department of Energy facilities,” CISA said in an advisory that outlines how the group conducts research and preparation for surgical spear-phishing attacks.
“Star Blizzard has predominantly sent spear-phishing emails to targets’ personal email addresses, although they have also used targets’ corporate or business email addresses,” the agency noted.
“The actors may intentionally use personal emails to circumvent security controls in place on corporate networks,” CISA, warning that the hacking team takes the time to build a rapport and trust with potential victims.
In the observed attacks, CISA said the Russian hackers use open-source tools to harvest credentials before logging into compromised email accounts.
A separate bulletin from Microsoft notes that the Star Blizzard hackers will display patience and clever tactics during communications with targets.
“An initial email will usually be sent asking to review a document, but without any attachment or link to the document. The threat actor will wait for a response, and following that, will send an additional message with either an attached PDF file or a link to a PDF file hosted on a cloud storage platform. The PDF file will be unreadable, with a prominent button purporting to enable reading the content,” Microsoft explained.
“Pressing the button in a PDF lure causes the default browser to open a link embedded in the PDF file code — this is the beginning of the redirection chain,” Redmond’s threat-intel team said.
The company notes that Star Blizzard has improved detection evasion capabilities since 2022 while remaining focused on email credential theft against the same targets.
“[Star Blizzard] continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests,” Microsoft added.
Related: Microsoft: Russia Behind 58% of Detected State-Backed Hacks
Related: NSA: Russian Hackers Exploiting VPN Vulnerabilities – Patch Immediately
Related: Microsoft Catches Russian Hackers Phishing with Teams Chat App
Related: Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine