December 7, 2023 at 10:28AM
Star Blizzard, believed to be linked to Russia’s FSB, continues targeted spear-phishing attacks for intelligence gathering. They impersonate trusted contacts using researched information to deceive individuals and organizations in the UK and beyond. Numerous cyber security agencies warn of their expanded targeting since 2019, including the defense industry and energy sector. Mitigations involve strong passwords, multi-factor authentication, and device updates.
Meeting Takeaways:
1. **Cyber Threat Actor Identified**: The Russian-based actor, known by various names including Star Blizzard, SEABORGIUM, and COLDRIVER, is conducting ongoing spear-phishing campaigns targeting the UK and others.
2. **Agencies Involved**: Multiple intelligence and cybersecurity agencies from the UK, US, Canada, Australia, and New Zealand confirm Star Blizzard’s link to the Russian FSB’s Centre 18.
3. **Historical and Current Targeting**: The adversary has been active since 2019, focusing on academia, defense, government, NGOs, and politics, with recent expansion to the defense industry and energy departments.
4. **Attack Techniques**: Spear-phishing using social engineering and open-source intelligence, impersonation, and malicious links to harvest credentials (including those protected by two-factor authentication).
5. **Intensified Activities**: Star Blizzard has shown increasing sophistication and scope in their spear-phishing attacks, targeting both personal and business emails, and using stolen credentials for further attacks and intelligence gathering.
6. **Recommendations and Mitigations**:
– Use strong, unique passwords.
– Employ multi-factor authentication.
– Keep systems and software updated and use antivirus software.
– Remain vigilant to suspicious emails and their origins.
– Leverage email scanning features and be cautious of unsolicited attachments/links.
– Disable or monitor mail-forwarding to prevent stealthy surveillance by threat actors.
7. **Resource References**: Specific techniques have been cataloged according to the MITRE ATT&CK® framework, with detailed IDs and descriptions. Individuals and organizations are encouraged to refer to the provided resources and guidelines for best practices in cybersecurity.
8. **Reporting and Contact**: Suspicious activities potentially related to this campaign should be reported to the NCSC or relevant cybersecurity organizations.
9. **Legal and Copyright Notice**: The information is owned by the UK Crown, is exempt from FOIA, and must be referred to the provided NCSC email address for FOIA-related queries.
10. **Additional Resources**: For a full advisory, one can download the PDF version, titled “Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns”.
These takeaways offer a comprehensive summary of the threat actor’s profile, methods, targets, and defense strategies to counteract the specified cyber threats.