Connect with us

Hi, what are you looking for?



CISA Issues Warning for Russian ‘Star Blizzard’ APT Spear-Phishing Operation

The US cybersecurity agency calls attention to a Russian APT targeting academia, defense, governmental organizations, NGOs and think-tanks.

Microsoft Hit by Nation State Actor Midnight Blizzard

The US cybersecurity agency CISA is leading a cross-agency push to expose a Russian government-backed APT caught launching spear-phishing campaigns against specific targets in academia, defense, governmental organizations, NGOs and think-tanks.

A joint-advisory from CISA and western law enforcement agencies identified the actor as Star Blizzard and joined with Microsoft’s threat intelligence team to expose the ongoing operation and share indicators of compromise.

The FSB-linked hacking team has been observed hitting targeted sectors in the US and UK and the agencies warn that malicious activity has also been seen in other NATO countries, and countries neighboring Russia.

“During 2022, Star Blizzard activity appeared to expand further, to include defense-industrial targets, as well as US Department of Energy facilities,” CISA said in an advisory that outlines how the group conducts research and preparation for surgical spear-phishing attacks. 

“Star Blizzard has predominantly sent spear-phishing emails to targets’ personal email addresses, although they have also used targets’ corporate or business email addresses,” the agency noted.

“The actors may intentionally use personal emails to circumvent security controls in place on corporate networks,” CISA, warning that the hacking team takes the time to build a rapport and trust with potential victims.

In the observed attacks, CISA said the Russian hackers use open-source tools to harvest credentials before logging into compromised email accounts. 

A separate bulletin from Microsoft notes that the Star Blizzard hackers will display patience and clever tactics during communications with targets.

Advertisement. Scroll to continue reading.

“An initial email will usually be sent asking to review a document, but without any attachment or link to the document. The threat actor will wait for a response, and following that, will send an additional message with either an attached PDF file or a link to a PDF file hosted on a cloud storage platform. The PDF file will be unreadable, with a prominent button purporting to enable reading the content,” Microsoft explained.

“Pressing the button in a PDF lure causes the default browser to open a link embedded in the PDF file code — this is the beginning of the redirection chain,” Redmond’s threat-intel team said.

The company notes that Star Blizzard has improved detection evasion capabilities since 2022 while remaining focused on email credential theft against the same targets. 

“[Star Blizzard] continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests,” Microsoft added.

Related: Microsoft: Russia Behind 58% of Detected State-Backed Hacks

Related: NSA: Russian Hackers Exploiting VPN Vulnerabilities – Patch Immediately

Related: Microsoft Catches Russian Hackers Phishing with Teams Chat App

Related: Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...