NSA and partners issue Russian “Star Blizzard” spear-phishing campaign
On December 7, the National Security Agency (NSA) announced that it has joined the UK National Cyber Security Centre (NCSC-UK) and other partners in releasing the Cybersecurity Advisory (CSA), “Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-Phishing Campaigns,” to raise awareness of the specific spear-phishing techniques used by Star Blizzard to target individuals and organizations, including the U.S. government and Defense Industrial Base, and to provide guidelines to protect against the continued threat.
Star Blizzard, formerly known as SEABORGIUM or BlueCharlie, is an organization with links to the Russian Federal Security Service (FSB) that targets specific individuals or groups perceived to have direct access to information of interest to Russia, including governmental organizations, the defense industry, academia, think tanks, NGOs, politicians, and others in the U.S. and UK, as well as targets in other NATO countries and countries neighboring Russia.
“Russia continues to be a threat. They continue to successfully use known spear-phishing techniques for intelligence gathering,” said Rob Joyce, director of NSA’s Cybersecurity Directorate. “Those at risk should note that the FSB likes to target personal email accounts, where they can still get to sensitive information but often with a lower security bar.”
Following the previously published guidance in January 2023, the report details two new reported tactics, techniques, and procedures (TTPs) used by Star Blizzard to target individuals and organizations. The actor utilizes the open source framework EvilGinx, which enables them to harvest credentials and session cookies to successfully bypass multifactor authentication. According to the CSA, likely Star Blizzard activity expanded in 2022, to include defense and energy targets.
This advisory outlines mitigations to defend against Star Blizzard activity. These mitigations include using strong passwords, using multifactor authentication (MFA), completing network and device updates, exercising vigilance in identifying suspicious emails and links, enabling automated email scanning features, and disabling mail forwarding.
Stay in the know with breaking news from across the IC and IC contracting landscape by becoming a paid subscriber to IC News. Your support makes our work possible.