CISA Alert AA23-341A: Star Blizzard Targets NATO Countries with Spearphishing Attacks

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

On December 7, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Russian nation-state threat group Star Blizzard and their spearphishing campaigns [1]. The threat group is known to target NATO countries and organizations in academia, government, defense, and energy industries. The motivation behind the spearphishing campaign appears to be cyber espionage. Organizations, especially the ones in previously targeted sectors, should be vigilant against Star Blizzard's spearphishing attacks.

In this blog, we explained the techniques used by Star Blizzard and how organizations can set an effective defense against spearphishing campaigns.

Simulate Phishing Attacks with 14-Day Free Trial of Picus Platform

Star Blizzard: A Nation-State Cyber Espionage Group

Star Blizzard is a Russian cyber espionage group known for their spearphishing attacks. The group has been active since 2019 and has many aliases, such as SEABORGIUM, Callisto Group, TA446, COLDRIVER, TAG-53, and BlueCharlie. CISA and other security agencies in the advisory are almost certain that Star Blizzard is a subordinate of the Russian FSB Centre 18, making them a nation-state cyber threat group. Star Blizzard's attack campaigns appear to be multifaceted, reflecting a blend of political, ideological, and financial incentives. Their activities focus on gathering intelligence that could provide strategic advantages to state actors against their geopolitical rivals. The group mainly targets government agencies, defense contractors, energy companies, universities, and technology firms, predominantly in NATO countries. 

One of Star Blizzard's hallmark strategies is the use of spearphishing to gain unauthorized access to systems. The threat group sends targeted, deceptive emails that appear legitimate to unsuspecting victims and leverages social engineering techniques to manipulate individuals into divulging confidential information or unknowingly granting access to secure systems. Star Blizzard's spearphishing repertoire involves extensive research and reconnaissance. They gather detailed information about their targets, including personal details, professional roles, and even social habits, often through public sources like social media, company websites, and professional networking platforms. This information helps them craft convincing and personalized email content that appears relevant and trustworthy to the recipient. The group also excels in creating highly convincing email content that mimics legitimate communication. This can include replicating the email format of known contacts or organizations, using similar language styles, and incorporating subjects that are directly relevant to the target's interests or current affairs. After establishing trust, the threat group sends emails embedded with malicious links or attachments that lead their targets to an adversary-controlled website, prompting them to enter their credentials. Star Blizzard uses EvilGinx, an open-source phishing framework, to harvest credentials and session cookies to bypass two-factor authentication. 

After compromising the target's credentials, Star Blizzard set up mail forwarding rules to establish ongoing visibility into the victim's correspondence and contact list. They also use this access in other phishing campaigns to lure more victims into these attack campaigns.

How to Defend Against Spearphishing Attacks?

Organizations are advised to adopt a comprehensive and multi-layered strategy, combining technological defenses with robust training and awareness programs against spearphishing campaigns. The sophistication of these attacks necessitates a nuanced approach, addressing both the technical and human aspects of cybersecurity.

Train and educate employees and users about spearphishing attacks

Awareness training can be extremely effective in defending against spearphishing attacks, including those conducted by sophisticated groups like Star Blizzard. Spearphishing relies heavily on manipulating individuals through social engineering tactics, making the human element a critical factor in the success or failure of such attacks. Awareness training targets this human element, educating employees about the tactics used in spearphishing, how to recognize potential threats, and the appropriate actions to take when faced with a suspicious email or communication. 

Avoid Using the Same Passwords for multiple accounts

Limiting password reuse can significantly enhance an organization's defense against various cyber threats, including the repercussions of spearphishing attacks. When employees use the same password across multiple accounts or systems, a successful spearphishing attack that compromises one set of credentials can have far-reaching consequences. The attackers can potentially gain access to multiple systems or data sources, dramatically increasing the impact of the breach. By enforcing a policy of unique passwords for different systems and accounts, an organization can limit the scope of unauthorized access in the event of a credential compromise. If one password is compromised, the breach remains contained to that specific account or system, significantly mitigating the potential damage.

Implement Multi-Factor Authentication (MFA)

Implementing multi-factor authentication (MFA) is a highly effective measure in bolstering defenses against spearphishing attacks, such as those conducted by sophisticated groups like Star Blizzard. MFA adds an additional layer of security beyond just a username and password, making unauthorized access significantly more difficult, even if login credentials are compromised. In spearphishing attacks, attackers often attempt to steal user credentials, such as passwords, through deceptive emails. If an employee inadvertently divulges this information, the presence of MFA can still prevent unauthorized access. It's important to note that while MFA adds a substantial security layer, it's not infallible. Attackers are constantly evolving their tactics and have developed methods to bypass MFA in some cases, such as through real-time phishing or exploiting weaknesses in text message-based MFA. Therefore, MFA should be part of a comprehensive security strategy that includes employee awareness training, secure password practices, regular software updates, and vigilant monitoring of network activity.

Disable Mail-Forwarding

Disabling unauthorized mail-forwarding can benefit organizations in enhancing their cybersecurity posture, particularly in the context of mitigating the risks associated with spearphishing attacks. When attackers gain access to an email account, one of the tactics they might use is to set up mail forwarding to an external account. This allows them to covertly monitor communications and gather sensitive information over time without the user's knowledge. By disabling or strictly controlling mail-forwarding features, an organization can prevent this type of stealthy information exfiltration. If attackers cannot easily forward emails to their own accounts, it limits their ability to gather data silently. This measure becomes particularly important in scenarios where an attacker has managed to gain access to an email account but has not yet been detected.

How Picus Helps Simulate Phishing Attacks?

Picus Complete Security Validation Platform enables organizations to simulate phishing threats and test their security posture against phishing attacks. In the Picus Threat Library, you can find threats delivered as a malicious attachment or a malicious link that assesses your email security controls and your users' awareness level.

example-attack-scenario

Figure 1: An Example Attack Scenario Simulates T1566 Phishing Technique

Picus Mitigation Library also provides actionable mitigation content on how to defend against the T1566 Phishing technique to improve your security posture against phishing attacks.
Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Complete Security Validation Platform.

MORE RESOURCES

References

[1] "Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a. [Accessed: Dec. 08, 2023]