Russia’s ‘Star Blizzard’ APT Upgrades its Stealth, Only to Be Unmasked Again

Russia's 'Star Blizzard' APT Upgrades its Stealth, Only to Be Unmasked Again

December 7, 2023 at 05:18PM

A Kremlin-linked APT group, “Star Blizzard,” known for cyberespionage and targeting NATO-associated entities since 2017, recently updated its evasion tactics. Microsoft exposed these new techniques, which include the use of password-protected PDFs, cloud file-sharing, advanced domain creation, and exploitation of email marketing platforms for phishing. Despite operations against UK officials, the group’s security failures have also been noted.

Meeting Takeaways:

1. The Kremlin-sponsored APT actor “Star Blizzard” has updated its evasion techniques, although Microsoft exposed these upgrades.
2. “Star Blizzard” engages in email credential theft aimed at cyberespionage and influence campaigns, focusing on NATO members since 2017, particularly those supporting Ukraine.
3. Despite its history of operational security (OpSec) failures, including a disruption by Microsoft in August 2022, the group continues efforts to change infrastructure.
4. New tactics from “Star Blizzard” include:
– Use of password-protected PDF lure documents.
– Utilization of DNS providers as reverse proxies to hide IP addresses.
– Incorporation of server-side JavaScript snippets to avoid automated infrastructure scanning.
– Implementation of a randomized domain generation algorithm, with domains registered via Namecheap and certified by Let’s Encrypt.
– Exploitation of email marketing services like Mailerlite and HubSpot for phishing campaigns.

5. “Star Blizzard” has used a combination of password-protected PDFs and email marketing URLs to conceal malicious domains within phishing emails.
6. Recorded Future notes that the group effectively utilizes cloud platforms and VPS to selectively redirect victims to malicious infrastructure.
7. Recent observed targets of “Star Blizzard” include think tanks, research organizations, and high-profile individuals, aiming to gain access to a U.S. grants management portal and perform credential harvesting and hack-and-leak operations.
8. Microsoft did not comment on the article.

Full Article