Russian cyber actor Star Blizzard continues to refine tradecraft to evade detection

Russia-based cyber threat actor Star Blizzard, previously SEABORGIUM, also known as COLDRIVER and Callisto Group, continues to evolve its spear-phishing tactics while remaining focused on email credential theft against the same targets.

The state-sponsored actor continues to prolifically target individuals and organizations involved in international affairs, defence, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests, Microsoft said a recent blog post.

Microsoft joined forces with the UK National Cyber Security Centre, the US National Security Agency Cybersecurity Collaboration Center, and the US Federal Bureau of Investigation to investigate the Star Blizzard compromises.

Based on their analysis, five new Star Blizzard evasive techniques were identified. Firstly, the threat actor was caught using server-side scripts to prevent automated scanning of actor-controlled infrastructure. Secondly, the actor uses email marketing platform services to hide true email sender addresses and obviate the need for including actor-controlled domain infrastructure in emails. The other three techniques include:

• Use of a DNS provider to obscure the IP addresses of actor-controlled virtual private server (VPS) infrastructure. Once notified, the DNS provider took action to mitigate actor-controlled domains abusing their service.
• Password-protected PDF lures or links to cloud-based file-sharing platforms to evade email security processes implemented by defenders
• Shifting to a more randomized domain generation algorithm (DGA) for actor-registered domains.

Microsoft recommends using phishing-resistant authentication methods and lockdown account access using Conditional Access policies to strengthen environments against Star Blizzard attack activity. Other recommendations include:

• Use advanced anti-phishing solutions that monitor and scan incoming emails and visited websites
• Run endpoint detection and response (EDR) in block mode
• Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus
• Use security defaults as a baseline set of policies to improve identity security posture.
• Implement continuous access evaluation.
• Continuously monitor suspicious or anomalous activities.

"As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts," Microsoft wrote.