Gossamer Bear

Threat Actor Profile Updated 5 days ago
Download STIX
Preview STIX
Gossamer Bear, also known as Callisto, Blue Callisto, BlueCharlie (or TAG-53), Calisto, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a significant threat actor that has been active since 2019. The group primarily focuses on credential harvesting and conducts hack-and-leak campaigns targeting Ukraine and North Atlantic Treaty Organization (NATO) countries. Gossamer Bear has utilized compromised WordPress sites to impede attribution of their C2 servers, a tactic shared with other threat actors such as APT29 and Gamaredon. This group targets a wide range of sectors, including international affairs, defense, and logistics support to Ukraine. The report highlights the fact that Gossamer Bear, along with other actors like Frozenlake/Fancy Bear, Frozenvista, and the Belarusian actor Puschcha (UNC1151), have focused on specific types of attacks. While some groups prefer phishing campaigns against Ukraine and NATO countries, Gossamer Bear opts for more disruptive hack-and-leak campaigns, particularly against Ukraine and the UK. They are suspected of using pro-Russia media outlets to launder information acquired through collection operations, showcasing an alarming evolution in their tactics. In conclusion, Gossamer Bear represents a substantial cybersecurity threat due to its evolving tactics, persistent focus on key geopolitical regions, and its ability to impede attribution attempts. Their use of pro-Russia media outlets to disseminate acquired information further exacerbates the threat they pose. As this group continues to target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, it's crucial to stay vigilant and continually adapt defensive strategies to counter their evolving tactics.
What's your take? (Question 1 of 2)
462a35e7-01ca-4ba7-ae3c-a45f078cb58d Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
COLDRIVER
2
Coldriver, also known as Star Blizzard and Callisto Group, is a Russian Advanced Persistent Threat (APT) actor that has been identified as a significant cybersecurity threat. Notably, Google's Threat Analysis Group (TAG) has issued warnings about Coldriver's use of a custom backdoor in its operation
Callisto
2
Callisto, also known as Gossamer Bear, ColdRiver, UNC4057, Star Blizzard, and Blue Charlie, is a threat actor group likely linked to Russian state interests. This group primarily focuses on credential harvesting, targeting regions such as Ukraine and North Atlantic Treaty Organization (NATO) countri
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ukraine
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Gossamer Bear Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
4 months ago
Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware
InfoSecurity-magazine
a year ago
Google Report Reveals Russia's Elaborate Cyber Strategy in Ukraine
CERT-EU
5 months ago
Microsoft Alert: COLDRIVER Credential Theft Rising Again
Flashpoint
5 days ago
Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024