Star Blizzard

Star Blizzard is a Russia-linked, state-sponsored cyber espionage threat actor tracked by Microsoft as Star Blizzard and also referred to in the provided content as Callisto, Callisto Group, COLDRIVER/Coldriver, SEABORGIUM, Gossamer Bear, BlueCharlie, ReUse Team, Dancing Salome, TA446, and UNC4057. The content states that the group is an operational unit within Center 18 of the Russian Federal Security Service (FSB), and UK authorities assess it is almost certainly subordinate to the FSB. The group is known for highly tailored spear-phishing and credential-phishing operations conducted since at least 2016. Reported targets include governments, militaries, private-sector organizations, media, civil society organizations, journalists, think tanks, NGOs, parliamentarians, universities, public-sector entities, defense contractors, former intelligence personnel, Department of Defense and Department of State personnel, Department of Energy staff, and a Ukraine-based defense contractor. The content also states that the group targeted webmail accounts and sought persistent access to steal or exfiltrate sensitive information, including information related to defense, foreign affairs, and nuclear energy research. UK reporting in the content links the group to interference in British politics and democratic processes, including access to UK-US trade documents made public before the 2019 UK election and the 2018 hack of the Institute for Statecraft. Tradecraft described in the content centers on spear-phishing, impersonation, credential theft, and malware delivery. The group used spoofed and seemingly legitimate email accounts impersonating trusted contacts or government personnel, malicious domains and shortened URLs, and phishing infrastructure designed to harvest credentials. The content states that Star Blizzard used JavaScript to redirect victim traffic from adversary-controlled servers to servers hosting the Evilginx phishing framework, and that it incorporated the open-source EvilGinx framework into spear-phishing activity. It also states that the group sent emails with malicious PDF attachments and lured targets into opening malicious PDF files to deliver malware. Additional reporting in the content ties the actor to QR-code phishing targeting WhatsApp accounts of civil society organizations and journalists. The content also describes law-enforcement and industry disruption actions against the group’s infrastructure. Microsoft and the U.S. Department of Justice seized more than 100 domains allegedly used in Star Blizzard/Callisto spear-phishing and credential-theft operations, including 66 domains through Microsoft civil action and 41 domains through a U.S. seizure warrant. Microsoft reported that the actor targeted at least 82 customers since January 2023 and more than 30 civil society organizations between January 2023 and August 2024. Named individuals tied to the group in the content are Ruslan Aleksandrovich Peretyatko, identified as an FSB officer, and Andrey Stanislavovich Korinets, identified as an IT worker in Syktyvkar, Russia and also referred to by UK authorities as Alexei Doguzhev. The U.S. and UK sanctioned both individuals, and U.S. authorities charged them in connection with spear-phishing and hacking conspiracies attributed to the group.