Star Blizzard

Threat Actor updated 23 days ago (2024-11-29T14:07:36.710Z)
Download STIX
Preview STIX
Star Blizzard, a threat actor group with ties to Russia's FSB, has been conducting sophisticated spear-phishing campaigns predominantly targeting Western think tanks, government officials, defense contractors, journalists, and nongovernmental organizations (NGOs). The group uses spear-phishing techniques, registering domains to host their phishing framework and creating consumer email accounts that match the names of individuals they impersonate. They have been observed using compromised victim email accounts to conduct further spear-phishing activity against contacts of the original victims. Between January 2023 and August 2024, Microsoft noted that Star Blizzard targeted over 30 civil society entities and organizations in an attempt to exfiltrate sensitive information and interfere in their activities. The group's operations were significantly disrupted when Microsoft filed a civil action to seize 66 internet domains used by Star Blizzard, formerly known as SEABORGIUM and also referred to as COLDRIVER or Callisto Group. This action was hailed as a significant step in protecting the internet from such threats, although it is acknowledged to be only scratching the surface of the issue. Despite this setback, Star Blizzard is expected to continually establish new infrastructure for its operations, posing a persistent threat to technology-dependent societies. The Department of Justice (DoJ) revealed in a partially unsealed indictment that two FSB officers, Ruslan Peretyatko and Andrey Korinets, were charged for their involvement in the Star Blizzard espionage campaigns which extended to the UK, NATO countries, and Ukraine. With Star Blizzard's status as a tool for advancing Russian interests, including election disruption, the actions taken against them are seen as directly impacting efforts to protect democratic processes from external threats. However, experts anticipate a dramatic increase in nation-state backed groups purchasing domains for cyberespionage, seeding misinformation and disinformation, indicating that the combined DoJ/Microsoft action might just be a drop in the ocean.
Description last updated: 2024-10-29T19:59:30.724Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Seaborgium is a possible alias for Star Blizzard. Seaborgium, also known by various names such as Star Blizzard, Callisto Group, COLDRIVER, and TAG-53, is a threat actor believed to be linked to Russia's Federal Security Service (FSB). The group has been active since at least 2015, targeting government officials, military personnel, journalists, an
6
Callisto is a possible alias for Star Blizzard. Callisto, also known as Star Blizzard, COLDRIVER, TAG-53, and BlueCharlie, is a threat actor group likely based in Russia that has been linked to malicious cyber activities. The group is notorious for its sophisticated spear-phishing attacks targeting organizations and individuals in the UK and othe
6
COLDRIVER is a possible alias for Star Blizzard. Coldriver, also known as Star Blizzard, Callisto, and Seaborgium, is a Russia-based cyber-espionage group believed to be backed by the Federal Security Service (FSB). This threat actor has been active since at least 2015, targeting government officials, military personnel, journalists, think tanks,
5
Callisto Group is a possible alias for Star Blizzard. The Callisto Group, also known as 'Star Blizzard', 'SEABORGIUM', and 'COLDRIVER', is a threat actor linked to Russia's Federal Security Service (FSB), Center 18. This group has been involved in sophisticated spear-phishing campaigns aimed at unauthorized access and information theft from protected c
5
TA446 is a possible alias for Star Blizzard. TA446, also known as the Callisto APT group, Seaborgium, Star Blizzard, ColdRiver, TAG-53, and BlueCharlie, is a significant threat actor that has been active since at least 2015. The group has persistently targeted government officials, military personnel, journalists, and think tanks, focusing on
2
Cold River is a possible alias for Star Blizzard. Cold River, also known as Star Blizzard, Callisto, and UNC4057, is a sophisticated threat actor linked to the Kremlin. The group has been associated with numerous cyber espionage activities that align with Russian interests. Chief analyst at cybersecurity specialist Mandiant, John Hultquist, has att
2
Unc4057 is a possible alias for Star Blizzard. UNC4057, also known as ColdRiver, Star Blizzard, Blue Charlie, and Callisto, is a Russian-backed advanced persistent threat (APT) group that has been active since 2019. This group, sponsored by the Federal Security Service (FSB), has been involved in various malicious activities on behalf of the Rus
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Blizzard
Domains
Microsoft
Russia
Credentials
Uk
Fsb
NCSC
Outlook
Reconnaissance
Backdoor
Malware
Email Accounts
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The threatActor Callisto Apt Group is associated with Star Blizzard. Unspecified
2
Source Document References
Information about the Star Blizzard Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Flashpoint
12 days ago
InfoSecurity-magazine
a month ago
Flashpoint
2 months ago
Flashpoint
2 months ago
DARKReading
3 months ago
DARKReading
3 months ago
Flashpoint
3 months ago
Securityaffairs
3 months ago
BankInfoSecurity
3 months ago
InfoSecurity-magazine
3 months ago
CISA
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
8 months ago
InfoSecurity-magazine
10 months ago
Malwarebytes
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago