Star Blizzard’s Persistent Tactics; New Challenges  

The threat actor known as COLDRIVER, operating under Star Blizzard (formerly SEABORGIUM), has continued to pose a formidable challenge. 

This group, linked to Russia’s Federal Security Service (FSB), is adept at credential theft and has enhanced its detection evasion capabilities.

Star Blizzard’s Strategies

Star Blizzard has been a persistent force since at least 2017, primarily targeting entities involved in international affairs, defence, and logistics support to Ukraine, academia, and information security companies. 

Microsoft’s Threat Intelligence team has closely monitored this threat actor’s activities, shedding light on their latest maneuvers.

In August 2023, Recorded Future uncovered 94 new domains associated with Star Blizzard’s attack infrastructure, emphasising information technology and cryptocurrency themes. 

The group has demonstrated a shift in tactics, employing server-side scripts to thwart automated scanning and moving away from hCaptcha to redirect browsing sessions to the Evil Nginx server.

Image Description: Typical Star Blizzard redirection chain to Evilginx infrastructure

Server-Side JavaScript and Email Marketing

Microsoft’s findings reveal Star Blizzard’s utilization of server-side JavaScript code to assess browser characteristics and prevent automated access. 

This showcases sophistication in evasion techniques and highlights the group’s adaptability.

Moreover, 

• the threat actor has incorporated email marketing services like HubSpot and MailerLite to initiate campaigns, 
• setting the stage for the Evil Nginx server’s role in credential harvesting. 
• This integration of diverse tactics demonstrates a strategic approach to achieving their objectives.

Image Description: Examples of Star Blizzard PDF lures when opened

Domain Generation Algorithm (DGA) Upgrade: A Response to External Scrutiny

Keen to stay ahead of the curve, Star Blizzard has upgraded its Domain Generation Algorithm (DGA), incorporating a more randomized list of words for naming domains. 

This adjustment and the group’s meticulous reconnaissance and preparatory phases underline their commitment to eluding detection.

International Response: Sanctions and Countermeasures

The United Kingdom has officially called out Star Blizzard for its cyber operations targeting high-profile individuals and entities, leading to sanctions against two identified members. 

The U.S. The Department of Justice (DoJ) has unsealed an indictment implicating the FSB in long-running hack-and-leak operations.

Despite these measures, the U.S. The Department of State will grant a $10 million reward for information, which leads to the identification of Star Blizzard’s members, emphasizing the severity of the threat.

At the End of the Day…

The international response to the malicious intent shows the severity of the issue. The defense strategies remain the same, but investing in phishing prevention, end-point detection, cloud protection, conditional access and base-level security is crucial.