Gossamer Bear

Threat Actor updated 6 months ago (2024-05-23T16:17:34.386Z)

Download STIX

Preview STIX

Gossamer Bear, also known as Callisto, Blue Callisto, BlueCharlie (or TAG-53), Calisto, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a significant threat actor that has been active since 2019. The group primarily focuses on credential harvesting and conducts hack-and-leak campaigns targeting Ukraine and North Atlantic Treaty Organization (NATO) countries. Gossamer Bear has utilized compromised WordPress sites to impede attribution of their C2 servers, a tactic shared with other threat actors such as APT29 and Gamaredon. This group targets a wide range of sectors, including international affairs, defense, and logistics support to Ukraine. The report highlights the fact that Gossamer Bear, along with other actors like Frozenlake/Fancy Bear, Frozenvista, and the Belarusian actor Puschcha (UNC1151), have focused on specific types of attacks. While some groups prefer phishing campaigns against Ukraine and NATO countries, Gossamer Bear opts for more disruptive hack-and-leak campaigns, particularly against Ukraine and the UK. They are suspected of using pro-Russia media outlets to launder information acquired through collection operations, showcasing an alarming evolution in their tactics. In conclusion, Gossamer Bear represents a substantial cybersecurity threat due to its evolving tactics, persistent focus on key geopolitical regions, and its ability to impede attribution attempts. Their use of pro-Russia media outlets to disseminate acquired information further exacerbates the threat they pose. As this group continues to target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, it's crucial to stay vigilant and continually adapt defensive strategies to counter their evolving tactics.

Description last updated: 2024-05-23T15:20:04.980Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
COLDRIVER is a possible alias for Gossamer Bear. Coldriver, also known as Star Blizzard, Callisto, and Seaborgium, is a Russia-based cyber-espionage group believed to be backed by the Federal Security Service (FSB). This threat actor has been active since at least 2015, targeting government officials, military personnel, journalists, think tanks,	2
Callisto is a possible alias for Gossamer Bear. Callisto, also known as Star Blizzard, COLDRIVER, TAG-53, and BlueCharlie, is a threat actor group likely based in Russia that has been linked to malicious cyber activities. The group is notorious for its sophisticated spear-phishing attacks targeting organizations and individuals in the UK and othe	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ukraine

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Gossamer Bear Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Flashpoint	6 months ago	Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024
CERT-EU	10 months ago	Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware
InfoSecurity-magazine	2 years ago	Google Report Reveals Russia's Elaborate Cyber Strategy in Ukraine
CERT-EU	a year ago	Microsoft Alert: COLDRIVER Credential Theft Rising Again