← threatfilter.dev / all groups / Star Blizzard
Star Blizzard
Also known as: SEABORGIUM · Callisto Group · TA446 · COLDRIVER
Overview
Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.
Targets
Government · Journalists · Military · Think Tanks
TTPs — 20 techniques across 8 tactics
Reconnaissance
-
T1589Gather Victim Identity Information -
T1593Search Open Websites/Domains -
T1598.002Spearphishing Attachment -
T1598.003Spearphishing Link
Resource Development
-
T1583Acquire Infrastructure -
T1583.001Domains -
T1585.001Social Media Accounts -
T1585.002Email Accounts -
T1586.002Email Accounts -
T1588.002Tool -
T1608.001Upload Malware
Initial Access
-
T1566.001Spearphishing Attachment
Execution
-
T1059.007JavaScript -
T1204.002Malicious File
Stealth
-
T1078Valid Accounts -
T1684.001Impersonation
Credential Access
-
T1539Steal Web Session Cookie
Lateral Movement
-
T1550.004Web Session Cookie
Collection
-
T1114.002Remote Email Collection -
T1114.003Email Forwarding Rule
Tools & malware (1)
Spica
Reporting (3)
- Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware — Shields, W
- Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns — CISA, et al
- Star Blizzard increases sophistication and evasion in ongoing attacks — Microsoft Threat Intelligence