Microsoft Alert: COLDRIVER Credential Theft Rising Again
In a recent Microsoft security alert, the notorious threat actor known as COLDRIVER has escalated its credential theft activities, targeting entities strategically significant to Russia. Simultaneously, it has refined its capabilities to evade detection, posing a growing concern. Microsoft’s cyber threat landscape, tracking this threat under the cluster name Star Blizzard (formerly SEABORGIUM), sheds light on the gravity of the COLDRIVER credential theft situation. Also identified as Blue Callisto, BlueCharlie (or TAG-53), Calisto, Gossamer Bear, and TA446, this adversary is persistently targeting individuals and organizations involved in international affairs, defense, and logistics support to Ukraine. Moreover, academic institutions and information security companies aligning with Russian state interests are not spared.
COLDRIVER Credential Theft
Star Blizzard, reportedly linked to Russia’s Federal Security Service (FSB), has a history dating back to at least 2017. The threat actor employs lookalike domains that mimic the login pages of targeted companies, demonstrating a penchant for sophistication. In August 2023, Recorded Future uncovered 94 new domains associated with COLDRIVER’s attack infrastructure. These domains predominantly feature keywords related to information technology and cryptocurrency, showcasing the threat actor’s adaptability.
COLDRIVER Malware Update: Dynamic Evasion Techniques
Microsoft security advisory observes a shift in COLDRIVER’s tactics, with the adversary adopting server-side scripts to thwart automated scanning of its infrastructure since April 2023. Departing from hCaptcha, COLDRIVER now redirects browsing sessions to the Evilginx server. The server-side JavaScript code assesses browser characteristics, checking for plugins or automation tools like Selenium or PhantomJS. Based on the assessment, the redirector server determines whether to proceed with browser redirection. This dynamic approach is aimed at enhancing evasion capabilities.
Ingenious Usage of Email Marketing Services
In a noteworthy update, Star Blizzard has incorporated email marketing services such as HubSpot and MailerLite into its campaigns. These serve as the starting point for the redirection chain, ultimately leading to the Evilginx server, the hub for credential harvesting. The threat actor also leverages a domain name service (DNS) provider to resolve actor-registered domain infrastructure, demonstrating a multi-faceted approach to evading security measures.
The Cat-and-Mouse Game with Security Measures
Despite continuous changes and improvements in evasion tactics, Star Blizzard’s primary focus remains on email credential theft. Cloud-based email providers, hosting both organizational and personal email accounts, are the primary targets. Microsoft underscores the consistent use of dedicated Virtual Private Servers (VPSs) to host actor-controlled infrastructure, emphasizing the threat actor’s commitment to spear-phishing activities.
International Response and Sanctions
The gravity of Star Blizzard’s activities is underscored by international responses. The U.K. has accused Star Blizzard of attempting to interfere in its political processes, leading to sanctions against two identified members – Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets. The U.S. Department of Justice (DoJ) unsealed an indictment against these individuals, revealing their involvement in spear-phishing campaigns.
Five Eyes Intelligence Alliance Concerns
The Five Eyes intelligence alliance, comprising Australia, Canada, New Zealand, the U.K., and the U.S., has expressed concerns over Star Blizzard’s tactics. The threat actor’s pattern includes impersonating known contacts, creating fabricated social media profiles, and establishing malicious domains resembling legitimate organizations. These tactics are employed to initiate spear-phishing attacks, often targeting high-profile individuals.
Unveiling the Spear-Phishing Techniques
Star Blizzard’s spear-phishing attacks follow a meticulous research and preparatory phase, enabling reconnaissance of their targets. The use of personal email addresses is a strategic move to bypass corporate network security controls. The threat actor builds rapport before delivering links mimicking legitimate service sign-in pages. Microsoft warns of paying special attention to emails from Proton accounts, frequently used by Star Blizzard.
Legal Ramifications and Rewards for Justice
In response to the cybersecurity threat warning, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) implicated the FSB in hack-and-leak operations. The department accused Star Blizzard members of setting up credential harvesting domains and employing tools to bypass two-factor authentication. Despite sanctions, the U.S. Department of State has announced a $10 million reward for information leading to the identification of Star Blizzard’s members, underscoring the severity of the threat.
Expert Insights and Global Impact
Experts weigh in on the situation, with Adam Meyers, head of Counter Adversary Operations at CrowdStrike, highlighting the evolution of COLDRIVER credential theft. Originally targeting governments, military, think tanks, and media entities with links to Ukraine, COLDRIVER attack trends have expanded their focus. Gossamer Bear is suspected of using pro-Russia media outlets to launder information acquired through collection operations, showcasing a concerning evolution.
International Diplomatic Response
In response to sanctions, the Russian Embassy in the U.K. dismisses them as a “futile move” and an “act of poorly staged drama.” President Vladimir Putin suggests that Western elites use sanctions to provoke conflicts in an attempt to maintain their slipping domination. This Microsoft warning update adds an additional layer to the complex narrative surrounding COLDRIVER and its activities.
Conclusion
The COLDRIVER threat, manifested through Star Blizzard’s intricate operations, demands a coordinated international response. As the landscape of credential theft risks evolves, the collaboration between cybersecurity experts, intelligence agencies, and governments becomes paramount. Vigilance, adaptation of security measures, and public awareness are crucial components to protect against COLDRIVER credential theft.
The sources for this piece include articles in The Hacker News and OWASP.