{ "id": "c6b2c52f-c499-4256-b2a8-0ba760cd2e42", "created_at": "2026-04-06T00:21:26.478944Z", "updated_at": "2026-04-10T03:35:41.820035Z", "deleted_at": null, "sha1_hash": "b43bfe5a12e60a06af2425f490f3582e434586f6", "title": "Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spearphishing Campaigns | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 91897, "plain_text": "Russian FSB Cyber Actor Star Blizzard Continues Worldwide\r\nSpearphishing Campaigns | CISA\r\nPublished: 2023-12-07 · Archived: 2026-04-05 16:56:55 UTC\r\nThe Russia-based actor is targeting organizations and individuals in the UK and other geographical areas\r\nof interest.\r\nOVERVIEW\r\nThe Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto\r\nGroup/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spearphishing attacks against\r\ntargeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.\r\nThe UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency\r\n(CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber\r\nNational Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s\r\nACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre\r\n(NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service\r\n(FSB) Centre 18.\r\nIndustry has previously published details of Star Blizzard. This advisory draws on that body of information .\r\nThis advisory raises awareness of the spearphishing techniques Star Blizzard uses to target individuals and\r\norganizations. This activity is continuing through 2023.\r\nTo download a PDF version of this advisory, see Russian FSB Cyber Actor Star Blizzard Continues Worldwide\r\nSpearphishing Campaigns .\r\nTARGETING PROFILE\r\nSince 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs,\r\nthink tanks and politicians.\r\nTargets in the UK and US appear to have been most affected by Star Blizzard activity, however activity has also\r\nbeen observed against targets in other NATO countries, and countries neighboring Russia.\r\nDuring 2022, Star Blizzard activity appeared to expand further, to include defense-industrial targets, as well as US\r\nDepartment of Energy facilities.\r\nOUTLINE OF THE ATTACKS\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a\r\nPage 1 of 6\n\nThe activity is typical of spearphishing campaigns, where an actor targets a specific individual or group using\r\ninformation known to be of interest to the targets. In a spearphishing campaign, an actor perceives their target to\r\nhave direct access to information of interest, be an access vector to another target, or both.\r\nResearch and Preparation\r\nUsing open-source resources to conduct reconnaissance, including social media and professional networking\r\nplatforms, Star Blizzard identifies hooks to engage their target. They take the time to research their interests and\r\nidentify their real-world social or professional contacts [T1589 ], [T1593 ].\r\nStar Blizzard creates email accounts impersonating known contacts of their targets to help appear legitimate. They\r\nalso create fake social media or networking profiles that impersonate respected experts [T1585.001 ] and have\r\nused supposed conference or event invitations as lures.\r\nStar Blizzard uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton mail\r\nin their initial approach [T1585.002 ], impersonating known contacts of the target or well-known names in the\r\ntarget’s field of interest or sector.\r\nTo appear authentic, the actor also creates malicious domains resembling legitimate organizations [T1583.001 ].\r\nMicrosoft Threat Intelligence Center (MSTIC) provides a list of observed Indicators of Compromise (IOCs) in\r\ntheir SEABORGIUM blog, but this is not exhaustive.\r\nPreference for Personal Email Addresses\r\nStar Blizzard has predominantly sent spearphishing emails to targets’ personal email addresses, although they have\r\nalso used targets’ corporate or business email addresses. The actors may intentionally use personal emails to\r\ncircumvent security controls in place on corporate networks.\r\nBuilding a Rapport\r\nHaving taken the time to research their targets’ interests and contacts to create a believable approach, Star Blizzard\r\nnow starts to build trust. They often begin by establishing benign contact on a topic they hope will engage their\r\ntargets. There is often some correspondence between attacker and target, sometimes over an extended period, as\r\nthe attacker builds rapport.\r\nDelivery of Malicious Link\r\nOnce trust is established, the attacker uses typical phishing tradecraft and shares a link [T1566.002 ], apparently\r\nto a document or website of interest. This leads the target to an actor-controlled server, prompting the target to\r\nenter account credentials.\r\nThe malicious link may be a URL in an email message, or the actor may embed a link in a document [T1566.001\r\n] on OneDrive, Google Drive, or other file-sharing platforms .\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a\r\nPage 2 of 6\n\nStar Blizzard uses the open-source framework EvilGinx in their spearphishing activity, which allows them to\r\nharvest credentials and session cookies to successfully bypass the use of two-factor authentication [T1539 ],\r\n[T1550.004 ].\r\nExploitation and Further Activity\r\nWhichever delivery method is used, once the target clicks on the malicious URL, they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service. Any credentials entered at this point are\r\nnow compromised.\r\nStar Blizzard then uses the stolen credentials to log in to a target’s email account [T1078 ], where they are\r\nknown to access and steal emails and attachments from the victim’s inbox [T1114.002 ]. They have also set up\r\nmail- forwarding rules, giving them ongoing visibility of victim correspondence [T1114.003 ].\r\nThe actor has also used their access to a victim email account to access mailing-list data and a victim’s contacts\r\nlist, which they then use for follow- on targeting. They have also used compromised email accounts for further\r\nphishing activity [T1586.002 ].\r\nCONCLUSION\r\nSpearphishing is an established technique used by many actors, and Star Blizzard uses it successfully, evolving the\r\ntechnique to maintain their success.\r\nIndividuals and organizations from previously targeted sectors should be vigilant of the techniques described in\r\nthis advisory.\r\nIn the UK you can report related suspicious activity to the NCSC .\r\nInformation on effective defense against spearphishing is included in the Mitigations section below.\r\nMITRE ATT\u0026CK\r\n®\r\nThis report has been compiled with respect to the MITRE ATT\u0026CK® framework, a globally accessible\r\nknowledge base of adversary tactics and techniques based on real-world observations.\r\nTactic ID Technique Procedure\r\nReconnaissance T1593\r\nSearch Open\r\nWebsites/Domains\r\nStar Blizzard uses open-source research and\r\nsocial media to identify information about\r\nvictims to use in targeting.\r\nReconnaissance T1589\r\nGather Victim Identity\r\nInformation\r\nStar Blizzard uses online data sets and open-source resources to gather information about\r\ntheir targets.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a\r\nPage 3 of 6\n\nTactic ID Technique Procedure\r\nResource\r\nDevelopment\r\nT1585.001 Establish Accounts:\r\nSocial Media Accounts\r\nStar Blizzard has been observed establishing\r\nfraudulent profiles on professional\r\nnetworking sites to conduct reconnaissance.\r\nResource\r\nDevelopment\r\nT1585.002 Establish Accounts:\r\nEmail Accounts\r\nStar Blizzard registers consumer email\r\naccounts matching the names of individuals\r\nthey are impersonating to conduct\r\nspearphishing activity.\r\nResource\r\nDevelopment\r\nT1583.001 Acquire Infrastructure:\r\nDomains\r\nStar Blizzard registers domains to host their\r\nphishing framework.\r\nResource\r\nDevelopment\r\nT1586.002 Compromise Accounts:\r\nEmail Accounts\r\nStar Blizzard has been observed using\r\ncompromised victim email accounts to\r\nconduct spearphishing activity against\r\ncontacts of the original victim.\r\nInitial Access T1078 Valid Accounts\r\nStar Blizzard uses compromised credentials,\r\ncaptured from fake log- in pages, to log in to\r\nvalid victim user accounts.\r\nInitial Access\r\nT1566.001 Phishing: Spearphishing\r\nAttachment\r\nStar Blizzard uses malicious links embedded\r\nin email attachments to direct victims to\r\ntheir credential-stealing sites.\r\nInitial Access\r\nT1566.002 Phishing: Spearphishing\r\nLink\r\nStar Blizzard sends spearphishing emails\r\nwith malicious links directly to credential-stealing sites, or to documents hosted on a\r\nfile-sharing site, which then direct victims to\r\ncredential-stealing sites.\r\nDefense Evasion\r\nT1550.004\r\nUse Alternate\r\nAuthentication Material:\r\nWeb Session Cookie\r\nStar Blizzard bypasses multi-factor\r\nauthentication on victim email accounts by\r\nusing session cookies stolen using EvilGinx.\r\nCredential\r\nAccess\r\nT1539\r\nSteal Web Session\r\nCookie\r\nStar Blizzard uses EvilGinx to steal the\r\nsession cookies of victims directed to their\r\nfake log-in domains.\r\nCollection\r\nT1114.002\r\nEmail Collection:\r\nRemote Email\r\nCollection\r\nStar Blizzard interacts directly with\r\nexternally facing Exchange services, Office\r\n365 and Google Workspace to access email\r\nand steal information using compromised\r\ncredentials or access tokens.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a\r\nPage 4 of 6\n\nTactic ID Technique Procedure\r\nCollection\r\nT1114.003 Email Collection: Email\r\nForwarding Rule\r\nStar Blizzard abuses email- forwarding rules\r\nto monitor the activities of a victim, steal\r\ninformation, and maintain persistent access\r\nto victim's emails, even after compromised\r\ncredentials are reset.\r\nMITIGATIONS\r\nA number of mitigations will be useful in defending against the activity described in this advisory.\r\nUse strong passwords. Use a separate password for email accounts and avoid password re-use across\r\nmultiple services. See NCSC guidance: Top Tips for Staying Secure Online .\r\nUse multi-factor authentication (2-factor authentication/two-step authentication) to reduce the impact of\r\npassword compromises. See NCSC guidance: Multi-factor Authentication for Online Services\r\n and Setting Up 2-Step Verification (2SV) .\r\nProtect your devices and networks by keeping them up to date: Use the latest supported versions, apply\r\nsecurity updates promptly, use anti-virus and scan regularly to guard against known malware threats. See\r\nNCSC guidance: Device Security Guidance .\r\nExercise vigilance. Spearphishing emails are tailored to avoid suspicion. You may recognize the sender’s\r\nname, but has the email come from an address that you recognize? Would you expect contact from this\r\nperson’s webmail address rather than their corporate email address? Has the suspicious email come to your\r\npersonal/webmail address rather than your corporate one? Can you verify that the email is legitimate via\r\nanother means? See NCSC guidance: Phishing attacks: Defending Your Organization  and Internet Crime\r\nComplaint Center(IC3) | Industry Alerts.\r\nEnable your email providers’ automated email scanning features. These are turned on by default for\r\nconsumer mail providers. See NCSC guidance: Telling Users to \"Avoid Clicking Bad Links\" Still Isn’t\r\nWorking .\r\nDisable mail-forwarding. Attackers have been observed to set up mail-forwarding rules to maintain\r\nvisibility of target emails. If you cannot disable mail-forwarding, then monitor settings regularly to ensure\r\nthat a forwarding rule has not been set up by an external malicious actor.\r\nDISCLAIMER\r\nThis report draws on information derived from NCSC and industry sources. Any NCSC findings and\r\nrecommendations made have not been provided with the intention of avoiding all risks and following the\r\nrecommendations will not remove all such risk. Ownership of information risks remains with the relevant system\r\nowner at all times.\r\nThis information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other\r\nUK information legislation.\r\nRefer any FOIA queries to ncscinfoleg@ncsc.gov.uk .\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a\r\nPage 5 of 6\n\nAll material is UK Crown Copyright©.\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a" ], "report_names": [ "aa23-341a" ], "threat_actors": [ { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434886, "ts_updated_at": 1775792141, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b43bfe5a12e60a06af2425f490f3582e434586f6.pdf", "text": "https://archive.orkl.eu/b43bfe5a12e60a06af2425f490f3582e434586f6.txt", "img": "https://archive.orkl.eu/b43bfe5a12e60a06af2425f490f3582e434586f6.jpg" } }