Insikt Group profiles TAG-53 infrastructure that overlaps with Callisto Group, COLDRIVER, and SEABORGIUM, detailing patterns in domain naming, TLS certificates from Let’s Encrypt, hosting clusters, and a small set of autonomous systems, suggesting long-running credential-harvesting operations. The report highlights a spoofed Microsoft login page impersonating a US military hardware supplier to facilitate phishing-based credential theft. #TAG-53 #CallistoGroup #COLDRIVER #SEABORGIUM #GlobalOrdnance #LetsEncrypt #MIRhosting #HOSTWINDS
Keypoints
- TAG-53 infrastructure likely overlaps with Callisto Group, COLDRIVER, and SEABORGIUM, indicating shared tools, patterns, and objectives.
- The infrastructure shows consistent traits: specific domain registrars, Let’s Encrypt TLS certificates, and a small cluster of autonomous systems.
- Domains are crafted to masquerade as legitimate organizations across government, intelligence, and defense sectors, aiding credibility with targets.
- A spoofed Microsoft login page masquerading as a US weapons supplier signals operational credential-harvesting activity.
- 38 TAG-53 domains have been identified since January 2022, with a characteristic 2-term hyphenated structure dominating the set.
- Autonomous systems hosting TAG-53 domains cluster around MIRhosting (AS52000) and HOSTWINDS (AS54290), among others.
- Credential harvesting is likely carried out via phishing, with infrastructure designed to staging and broad targeting of government and defense entities.
MITRE Techniques
- [T1036] Masquerading – A spoofed sign-in page masquerading as a legitimate entity to harvest credentials. Quote: “The TAG-53 domain ‘drive-globalordnance[.]com’ includes a spoofed sign-in page for the legitimate company Global Ordnance, a military weapons and hardware supplier in the US.”
- [T1598] Phishing for Information – Credential harvesting campaigns likely enabled through phishing. Quote: “the threat actor has carried out persistent phishing and credential theft campaigns that have led to intrusions and data theft.”
- [T1608] Stage Capabilities – Infrastructure shows common traits (domain patterns, Let’s Encrypt TLS certificates, hosting clusters, small AS cluster) indicating staged development for operations. Quote: “Insikt Group observed the recurring use of common traits by TAG-53 when curating its infrastructure, including the use of domain names employing a specific pattern construct along with Let’s Encrypt TLS certificates, the use of a specific cluster of hosting providers, and the use of a small cluster of autonomous systems.”
Indicators of Compromise
- [Domains] TAG-53 domains used for infrastructure – cloud-safety[.]online, drive-globalordnance[.]com, umopl-drive[.]com, and 36 more domains.
- [IP Addresses] External IPs associated with TAG-53 activity – 23[.]254[.]201[.]243, 45[.]66[.]248[.]9, and 36 more addresses.
- [Autonomous Systems] ASNs hosting TAG-53 domains – AS52000 (MIRhosting), AS54290 (HOSTWINDS), AS44094 (WEBHOST1-AS), AS62240 (Clouvider), AS62005 (BV-EU-AS), AS44477 (STARK-INDUSTRIES), AS16276 (OVH), AS20278 (NEXEON), AS206446 (CLOUDLEASE), AS43624 (STARK-INDUSTRIES-SOLUTIONS-AS) and 0 more.