Russia-backed attackers have named new targets for their ongoing phishing campaigns, with defense-industrial firms and energy facilities now in their sights, according to agencies of the Five Eyes alliance.
In a joint security alert issued on Thursday, seven agencies* from Australia, Canada, New Zealand, the US and the UK, warned about a criminal gang named Star Blizzard and its evolving phishing techniques.
Beginning in 2022, Star Blizzard also began prodding defense-industrial targets and US Department of Energy facilities.
A US grand jury charged two alleged members of Star Blizzard with hacking into US, UK, and other NATO-countries' networks on behalf of the Russian government.
According to court documents, Ruslan Aleksandrovich Peretyatko, an officer in Russia's FSB Center 18, along with Andrey Stanislavovich Korinets and other unindicted conspirators, targeted current and former employees of the US intelligence agencies, the Defense and State Departments, defense contractors, and Department of Energy facilities between at least October 2016 and October 2022.
The indictment also alleges that Star Blizzard members pulled off successful phishing campaigns against military and government officials, think tank staff, and journalists in the UK, and that info from some of these compromised email accounts was then leaked to the press in Russia and the UK in advance of the 2019 UK elections.
While this gang, like other Kremlin-backed hackers, focuses its espionage efforts on matters like Western security posture and foreign policy plans, Mandiant warned that intelligence-gathering is not Moscow's only aim.
While US and UK-based targets appear to be most at risk of Star Blizzard's attacks, the Five Eyes say the Kremlin-backed crew has also infiltrated other NATO countries, plus others that share borders with Russia.
The cyber snoops play the long game - taking time to research their targets on social media and networking platforms, and then creating their own phony profiles and malicious spoofed domains.
Once they establish trust, Star Blizzard operatives send a malicious link to a fake website or document used to harvest the victim's credentials.
Next comes an attempt to log into the victim's email account, snoop around and steal messages and documents.
Accessing victims' contacts is another goal, as that provides the gang with additional targets for their phishing campaigns.
In a separate report published Thursday, Microsoft shared details about the tactics, techniques, and procedures Star Blizzard has used over the past year.
Most aim to avoid detection and include using server-side scripts to prevent automated scanning.
Beginning in April 2023, we observed Star Blizzard gradually move away from using hCaptcha servers as the sole initial filter to prevent automatic scanning of their Evilginx server infrastructure.
Redirection was still performed by an actor-controlled server, now first executing JavaScript code before redirecting the browsing session to the Evilginx server.
The code has three functions: it checks if the browser has any plugins installed, looks for indicators that the page is being scanned by an automation tool, and then sends collected data back to the Evilginx server.
The gang primarily uses HubSpot and MailerLite to both create an email campaign and a URL that serves as the entry point to the redirect chain ending in the gang's infrastructure.
In another attempt to evade security tools, Star Blizzard typically uses password protected PDF lures or links to cloud-based file-sharing platforms such as Microsoft OneDrive and Proton Drive.
After Recorded Future provided ways to detect Star Blizzard domain registrations this past August, the crew has moved to a more randomized domain generation algorithm for its domains.
This Cyber News was published on go.theregister.com. Publication date: Fri, 08 Dec 2023 02:13:05 +0000