NEW: Group Profiler — instant APT intel lookup. Try it →

← threatfilter.dev / all groups / Star Blizzard

Star Blizzard

G1033 Russia MITRE ATT&CK →

Also known as: SEABORGIUM · Callisto Group · TA446 · COLDRIVER

Overview

Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.

Targets

Government · Journalists · Military · Think Tanks

TTPs — 20 techniques across 8 tactics

Reconnaissance

T1589 Gather Victim Identity Information
T1593 Search Open Websites/Domains
T1598.002 Spearphishing Attachment
T1598.003 Spearphishing Link

Resource Development

T1583 Acquire Infrastructure
T1583.001 Domains
T1585.001 Social Media Accounts
T1585.002 Email Accounts
T1586.002 Email Accounts
T1588.002 Tool
T1608.001 Upload Malware

Initial Access

T1566.001 Spearphishing Attachment

Execution

T1059.007 JavaScript
T1204.002 Malicious File

Stealth

T1078 Valid Accounts
T1684.001 Impersonation

Credential Access

T1539 Steal Web Session Cookie

Lateral Movement

T1550.004 Web Session Cookie

Collection

T1114.002 Remote Email Collection
T1114.003 Email Forwarding Rule

Tools & malware (1)

Spica

Reporting (3)

Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware — Shields, W
Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns — CISA, et al
Star Blizzard increases sophistication and evasion in ongoing attacks — Microsoft Threat Intelligence