##### CYBER THREAT ANALYSIS By Insikt Group® **RUSSIA** August 2, 2023 # BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023 ----- ## Executive Summary Since at least March 2023, Insikt Group has tracked new infrastructure that we attribute as associated with the threat activity group BlueCharlie, a group that has overlaps with the Russia-nexus group publicly known as Callisto/Calisto, COLDRIVER, and Star Blizzard/SEABORGIUM. Insikt Group previously tracked this threat activity under the temporary designator TAG-53. We are now graduating this threat cluster to the cryptonym BlueCharlie due to overlapping tactics, techniques, and procedures (TTPs) and our increased confidence that the activities we have observed are conducted by a Russia-based threat actor. Insikt Group has observed BlueCharlie build new infrastructure, which includes 94 new domains. Several of the TTPs currently seen in the recent operation depart from past activity, suggesting that BlueCharlie is evolving its operations, potentially in response to public disclosures of its operations in [industry reporting (1,](https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations) [2, 3). Since Insikt Group’s initial tracking of the group in September 2022, we have](https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html) observed BlueCharlie engage in several TTP shifts. These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers. Some of the changes in TTPs were also likely precipitated by the threat group’s increased awareness of operations security (OPSEC). While Insikt Group was unable to determine victimology or targeting for this campaign at the time of this writing, BlueCharlie has in the past targeted entities in the government, higher education, defense, and political sectors, as well as non-governmental organizations (NGOs), activists, journalists, think tanks, and national laboratories. Potential victims in those sectors should improve their phishing defenses, implement FIDO2-compliant multi-factor authentication, use threat intelligence and attack surface intelligence for rapid and complete information, and educate third-party vendors on the risks involved. Failure to do so may result in the loss of credentials to business-critical resources, leaking of proprietary information related to business or national security, and damage to brand reputation for suffering a breach. ## Key Findings - BlueCharlie continues to build new infrastructure in the pursuit of phishing campaigns and credential harvesting, and it continues to favor certain elements such as the use of preferred registrars, ASNs, and a certificate authority. - While the group uses relatively common techniques to conduct attacks (such as the use of phishing and a historical reliance on open-source offensive security tools), its likely continued use of these methods, determined posture, and progressive evolution of tactics suggests the group remains formidable and capable. - Given the group’s observed operational tempo and willingness to adapt to public reporting on its activity, we expect to see BlueCharlie continue operations for the foreseeable future. We similarly expect the group to continue to evolve its TTPs based on precedent. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Background [BlueCharlie is a Russia-linked threat activity group that has links to groups that have been active since](https://techcrunch.com/2023/02/08/seaborgium-cold-river-hacking/) at least 2017. BlueCharlie conducts operations focused on information gathering to enable further espionage, but also for use in hack-and-leak operations. BlueCharlie targets individuals and organizations in North Atlantic Treaty Organization (NATO) nations, entities in Ukraine, and institutions [like government, higher education, defense, and political sectors, non-governmental organizations](https://techcrunch.com/2023/02/08/seaborgium-cold-river-hacking/) [(NGOs), activists, journalists, think tanks, and](https://techcrunch.com/2023/02/08/seaborgium-cold-river-hacking/) [national laboratories. Past incidents include a](https://www.reuters.com/world/europe/russian-hackers-targeted-us-nuclear-scientists-2023-01-06/) hack-and-leak operation that tried to build a narrative around high-level Brexit proponents planning a coup as well as a cyberespionage [campaign targeting Brookhaven National Laboratory, Argonne](https://www.reuters.com/world/europe/russian-hackers-targeted-us-nuclear-scientists-2023-01-06/) National Laboratory, and Lawrence Livermore National Laboratory between August and September 2022. In January 2023, cybersecurity firm Nisos [observed](https://www.nisos.com/blog/coldriver-group-report/) personally identifiable information related to technical details of COLDRIVER campaigns, and found ties to a Russian national, Andrey Korinets, as a potential member of the group. Insikt Group has not independently verified Korinets’s affiliation with BlueCharlie activity at this time. BlueCharlie has carried out persistent phishing and credential theft campaigns that further enable intrusions and data theft. The group likely uses open sources to conduct extensive reconnaissance in advance of intrusion operations in order to improve the likelihood that its spearphishing operations will [succeed. In at least one case, Star Blizzard/SEABORGIUM created fraudulent profiles on various social](https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/) media platforms, including LinkedIn, to conduct reconnaissance on targeted entities. Some of the messages included resources that spoofed pages from prominent organizations to build credibility. [Campaigns between 2015 and 2020 relied on emails purporting to come from popular mail services and](https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/) often contained malicious links or attachments. ## Threat and Technical Analysis [Following public reporting (1, 2, 3, 4,](https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support/) [5, 6), including our own, we observed that BlueCharlie changed its](https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/) TTPs as of at least mid-December 2022 — shortly after our report and other industry reporting exposed its credential harvesting infrastructure. #### Domain Name Structure [Since the release of our initial report describing TAG-53 activity, the threat group has shifted its use of](https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations) certain words in its domains to a new pattern. In our previous report, all but 1 of the 38 domains discovered via BlueCharlie tracking used similarly structured domain names, primarily made up of 2 terms (depicted in Figure 1 below) separated by a hyphen, such as “cloud-safety[.]online”. The exception to the above rule was proxycrioisolation[.]com. While the structure has changed for the most recent activity, the new naming convention is consistent and highly similar across all 94 observed domains. Prior activity relied on a trailing URL structure for Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- 1 https[:]//github[.]com/kgretzky/evilginx2/blob/511860ca993b73e0d412c372c8aaa4b70ba5a7e1/core/config.go Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- - check/checker - dns - cloud - control/controls - docs - document - network - of - protect/protected/protector - safety - storage - transfer - web Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- #### Registrars Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- #### Autonomous Systems In our previous reporting, we identified the Autonomous System Numbers (ASNs) where the BlueCharlie IP addresses were most commonly found, shown in Table 1 below. **ASN** **AS Name** **BlueCharlie Domain Count** AS52000 MIRhosting 11 AS54290 Hostwinds 10 AS44094 WEBHOST1-AS 4 AS62240 Clouvider 4 AS62005 BV-EU-AS 3 AS44477 STARK-INDUSTRIES 2 AS16276 OVH 1 AS20278 NEXEON 1 AS206446 CLOUDLEASE 1 AS43624 STARK-INDUSTRIES-SOLUTIONS-AS 1 **Table 1: ASN detail breakdown for previous BlueCharlie-linked domains (Source: Recorded Future)** In our current observations of BlueCharlie ASNs in use, we highlight the reuse of the following: |ASN|AS Name|BlueCharlie Domain Count| |---|---|---| |AS52000|MIRhosting|11| |AS54290|Hostwinds|10| |AS44094|WEBHOST1-AS|4| |AS62240|Clouvider|4| |AS62005|BV-EU-AS|3| |AS44477|STARK-INDUSTRIES|2| |AS16276|OVH|1| |AS20278|NEXEON|1| |AS206446|CLOUDLEASE|1| |AS43624|STARK-INDUSTRIES-SOLUTIONS-AS|1| **Figure 5: Breakdown of Autonomous Systems (AS) used by BlueCharlie in the previous and current campaign** (Source: Recorded Future) Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- **Table 2 contains a further breakdown of the most recently observed ASNs in use by BlueCharlie:** |ASN|AS Name|BlueCharlie Domain Count| |---|---|---| |AS36352|ColoCrossing|35| |AS62005|BlueVPS OU|32| |AS54290|Hostwinds LLC|14| |AS62240|Clouvider|12| |AS44477|MIRhosting/Stark Industries|7| |AS52000|MIRholding/MIRhosting|8| |AS22612|Namecheap|8| |AS43624|PQ HOSTING S.R.L.|2| |AS44094|Webhost LLC|2| |AS49392|LLC Baxet|2| |AS62904|Eonix Corporation|2| |AS3257|GTT Communications Inc.|1| **Table 2: ASN detail breakdown for current BlueCharlie-linked domains (Source: Recorded Future)** Additionally, [industry reporting](https://www.team-cymru.com/post/a-blog-with-noname) suggests that Stark Industries, MIRhosting, and Perfect Quality (PQ) Hosting (all present in the current activity) are related to Ivan Neculiti, a Moldovan national. Cybersecurity firm Team Cymru stated that it frequently observes “all three hosting companies being used to host malicious content, or … used directly for attack infrastructure”, specifying that “the website hucksters[.]net, which amongst other things seeks to expose individuals involved in fraud and spam, has previously [profiled NECULITI”.](https://hucksters.net/person/neculiti-ivan) #### X.509 TLS Certificates Previously, all identified BlueCharlie domains were found to host corresponding X.509 TLS certificates provided by Let’s Encrypt. The prevalent use of Let’s Encrypt TLS certificates allows for further correlations between BlueCharlie domains and infrastructure, strengthening the clustering of this activity. The group continues to rely almost exclusively on Let’s Encrypt security certificates. The only [exception to this rule that we identified was the domain bittechllc[.]net, which used the ZeroSSL](https://crt.sh/?id=8784745615) [Certificate Authority. The remainder relied on Let’s Encrypt certificates. See, for example, the](https://crt.sh/?id=8784745615) cloudrootstorage[.]com domain’s certificate as found at [crt.sh](https://crt.sh/?id=9121759905) and depicted in Figure 6 below. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Mitigations Phishing and spearphishing from state-sponsored advanced persistent threat (APT) groups presents an imminent threat to organization networks and personal information. Phishing allows a threat actor access to privileged material or the ability to install their own exploit software, such as ransomware or command-and-control software. - Implement multi-factor authentication (MFA) on all internet-facing web applications and appliances, especially webmail. MFA is something you know (a password) and something you have (a text message or code from a MFA application). This way, if a threat actor has your password, they are likely unable to authenticate as they lack the MFA code. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- - Use a FIDO2-compliant MFA token. - Train employees, contractors, and third-party vendors to protect against phishing, spearphishing, and social engineering. Refreshing employees, vendors, contractors and third-party entities with this phishing training often (at least annually) is critical to prevent credential harvesting and unwanted intrusions to your network. - Disable all macros, particularly macros loading by default, in Microsoft Office products. - Ensure that all attachments are scanned for malicious artifacts and behavior. - Enforce a frequent password reset policy and strong password requirements for all internet-facing web applications and internal applications, especially webmail/email. - Use a stand-alone password manager (such as BitWarden or 1Password) to generate strong passwords, and use unique passwords for each service. Passwords should not be reused across services/websites. - Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix. ## Outlook BlueCharlie has demonstrated the ability to adapt and evolve over time to public reporting, and will likely continue to change their TTPs based on past precedent. Given the group’s historical use of phishing (which is likely occurring in the new activity), we recommend network defenders employ robust anti-phishing training and highly encourage the use of a FIDO2-compliant multi-factor authentication token, such as a Yubikey. Recorded Future [Threat Intelligence (TI),](https://www.recordedfuture.com/platform/threat-intelligence) [Third-Party](https://www.recordedfuture.com/platform/third-party-intelligence) [Intelligence, and SecOps Intelligence modules users can monitor real-time output from Network](https://www.recordedfuture.com/platform/third-party-intelligence) Intelligence analytics to identify suspected targeted intrusion activity involving your organization or key vendors and partners. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Appendix A — IOCs Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Appendix B — Mitre ATT&CK Techniques |Tactic: Technique|ATT&CK Code| |---|---| |Reconnaissance: Phishing for Information|T1598| |Resource Development: Stage Capabilities|T1608| About Insikt Group[®] Recorded Future’s Insikt Group, the company’s threat research division, comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence that reduces risk for clients, enables tangible outcomes, and prevents business disruption. About Recorded Future[®] Recorded Future is the world’s largest intelligence company. Recorded Future’s cloud-based Intelligence Platform provides the most complete coverage across adversaries, infrastructure, and targets. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future provides real-time visibility into the vast digital landscape and empowers clients to take proactive action to disrupt adversaries and keep their people, systems, and infrastructure safe. Headquartered in Boston with offices and employees around the world, Recorded Future works with more than 1,600 businesses and government organizations across more than 70 countries. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group -----