Star Blizzard

Threat Actor updated 14 days ago (2024-11-08T12:27:10.446Z)

Download STIX

Preview STIX

Star Blizzard, a threat actor group with ties to Russia's FSB, has been conducting sophisticated spear-phishing campaigns predominantly targeting Western think tanks, government officials, defense contractors, journalists, and nongovernmental organizations (NGOs). The group uses spear-phishing techniques, registering domains to host their phishing framework and creating consumer email accounts that match the names of individuals they impersonate. They have been observed using compromised victim email accounts to conduct further spear-phishing activity against contacts of the original victims. Between January 2023 and August 2024, Microsoft noted that Star Blizzard targeted over 30 civil society entities and organizations in an attempt to exfiltrate sensitive information and interfere in their activities. The group's operations were significantly disrupted when Microsoft filed a civil action to seize 66 internet domains used by Star Blizzard, formerly known as SEABORGIUM and also referred to as COLDRIVER or Callisto Group. This action was hailed as a significant step in protecting the internet from such threats, although it is acknowledged to be only scratching the surface of the issue. Despite this setback, Star Blizzard is expected to continually establish new infrastructure for its operations, posing a persistent threat to technology-dependent societies. The Department of Justice (DoJ) revealed in a partially unsealed indictment that two FSB officers, Ruslan Peretyatko and Andrey Korinets, were charged for their involvement in the Star Blizzard espionage campaigns which extended to the UK, NATO countries, and Ukraine. With Star Blizzard's status as a tool for advancing Russian interests, including election disruption, the actions taken against them are seen as directly impacting efforts to protect democratic processes from external threats. However, experts anticipate a dramatic increase in nation-state backed groups purchasing domains for cyberespionage, seeding misinformation and disinformation, indicating that the combined DoJ/Microsoft action might just be a drop in the ocean.

Description last updated: 2024-10-29T19:59:30.724Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Seaborgium is a possible alias for Star Blizzard. Seaborgium, also known by various names such as Star Blizzard, Callisto Group, COLDRIVER, and TAG-53, is a threat actor believed to be linked to Russia's Federal Security Service (FSB). The group has been active since at least 2015, targeting government officials, military personnel, journalists, an	6
Callisto is a possible alias for Star Blizzard. Callisto, also known as Star Blizzard, COLDRIVER, TAG-53, and BlueCharlie, is a threat actor group likely based in Russia that has been linked to malicious cyber activities. The group is notorious for its sophisticated spear-phishing attacks targeting organizations and individuals in the UK and othe	6
COLDRIVER is a possible alias for Star Blizzard. Coldriver, also known as Star Blizzard, Callisto, and Seaborgium, is a Russia-based cyber-espionage group believed to be backed by the Federal Security Service (FSB). This threat actor has been active since at least 2015, targeting government officials, military personnel, journalists, think tanks,	5
Callisto Group is a possible alias for Star Blizzard. The Callisto Group, also known as 'Star Blizzard', 'SEABORGIUM', and 'COLDRIVER', is a threat actor linked to Russia's Federal Security Service (FSB), Center 18. This group has been involved in sophisticated spear-phishing campaigns aimed at unauthorized access and information theft from protected c	5
TA446 is a possible alias for Star Blizzard. TA446, also known as the Callisto APT group, Seaborgium, Star Blizzard, ColdRiver, TAG-53, and BlueCharlie, is a significant threat actor that has been active since at least 2015. The group has persistently targeted government officials, military personnel, journalists, and think tanks, focusing on	2
Cold River is a possible alias for Star Blizzard. Cold River, also known as Star Blizzard, Callisto, and UNC4057, is a sophisticated threat actor linked to the Kremlin. The group has been associated with numerous cyber espionage activities that align with Russian interests. Chief analyst at cybersecurity specialist Mandiant, John Hultquist, has att	2
Unc4057 is a possible alias for Star Blizzard. UNC4057, also known as ColdRiver, Star Blizzard, Blue Charlie, and Callisto, is a Russian-backed advanced persistent threat (APT) group that has been active since 2019. This group, sponsored by the Federal Security Service (FSB), has been involved in various malicious activities on behalf of the Rus	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Blizzard

Domains

Microsoft

Russia

Credentials

Fsb

NCSC

Outlook

Reconnaissance

Backdoor

Malware

Email Accounts

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The threatActor Callisto Apt Group is associated with Star Blizzard.	Unspecified	2

Source Document References

Information about the Star Blizzard Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Flashpoint	a month ago	The New Cold War is Here: Preparing Your Business for The Convergence of Geopolitical, Physical and Cyber Threats
Flashpoint	a month ago	Justice Department Disrupts Russian Intelligence Spear-Phishing Efforts
DARKReading	2 months ago	Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard
DARKReading	2 months ago	Insider Threat Damage Balloons as Visibility Gaps Widen
Flashpoint	2 months ago	FSB-Linked Star Blizzard Campaign Disrupted: What You Need to Know
Securityaffairs	2 months ago	Microsoft and DOJ seized the attack infrastructure used by Russia-linked Callisto Group
BankInfoSecurity	2 months ago	US, Microsoft Seize Domains Used in Russian Spear-Phishing
InfoSecurity-magazine	2 months ago	Microsoft and US Government Disrupt Russian Star Blizzard Operations
CISA	a year ago	Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns
CERT-EU	a year ago	U.S., Britain target 2 Russian hackers with sanctions, expose FSB-backed cyber conspiracy \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker
CERT-EU	10 months ago	Russia hacked ex-MI6 chief’s emails – what they reveal is more Dad’s Army than deep state \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker
BankInfoSecurity	7 months ago	US Cyber Command Expanded 'Hunt Forward' Operations in 2023
InfoSecurity-magazine	9 months ago	Russian Hackers Launch Email Campaigns to Demoralize Ukrainians
Malwarebytes	10 months ago	Coldriver threat group targets high-ranking officials to obtain credentials \| Malwarebytes
CERT-EU	10 months ago	ColdRiver threat group targeting critical infrastructure with backdoor attacks
InfoSecurity-magazine	10 months ago	Russian Coldriver Hackers Deploy Malware to Target Western Officials
CERT-EU	10 months ago	IT consultant in Germany fined for exposing shoddy security
CERT-EU	10 months ago	Russian FSB Hacking Group Turns to Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	Russian Hackers Are Using PDF Tricks and Custom Malware to Target NATO \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	10 months ago	Google: Russia's ColdRiver APT Unleashes Custom 'Spica' Malware