StellarParticle

StellarParticle, a threat actor associated with the COZY BEAR adversary group, has been identified as a significant cybersecurity risk by CrowdStrike. StellarParticle is known for its extensive knowledge of Windows and Linux operating systems, Microsoft Azure, O365, and Active Directory, and it has demonstrated the ability to stay undetected within victims' systems for extended periods, even years. The majority of investigations linked to this group have begun with the identification of malicious activities within a victim's O365 environment. There have also been connections found between StellarParticle-related campaigns and the abuse of Microsoft Cloud Solution Partners’ O365 tenants. CrowdStrike's investigations into StellarParticle have unveiled unique reconnaissance activities performed by the threat actor, such as accessing victims’ internal knowledge repositories like Wikis. In several instances, due to the threat actor using the same set of accounts during their operations, CrowdStrike was able to identify past malicious activity spanning multiple years based on User Access Logging (UAL) data alone. The UAL database has proven to be a critical tool in investigating StellarParticle-linked cases. Throughout the investigations, CrowdStrike identified two sophisticated malware families that were placed on victim systems around mid-2019: a Linux variant of GoldMax and a new family referred to as TrailBlazer. GoldMax likely served as a long-term persistence backdoor during StellarParticle-related compromises, which aligns with the few changes made to the malware to modify existing functions or support additional functionality. StellarParticle’s malware, SUNSPOT, was used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product, further demonstrating the group's advanced capabilities.