Keypoints
- BlueCharlie (associated with Callisto/COLDRIVER/Star Blizzard) is a Russia-linked group active since 2017 focusing on espionage and hack-and-leak information gathering.
- Insikt observed 94 newly registered domains in 2023 tied to BlueCharlie, likely intended for phishing campaigns and credential harvesting.
- Recent operations show TTP shifts and improved operational security, suggesting adaptation to industry reporting and efforts to evade researchers.
- Past targeting includes government, defense, education, political sectors, NGOs, journalists, and think tanks, though current specific victims are unknown.
- Appendix A provides a large IOC set (domains and IP addresses) used by the group; Appendix B maps activity to MITRE techniques T1598 and T1608.
- Recommended mitigations: strengthen phishing defenses, implement FIDO2-compliant MFA, integrate threat intelligence, and educate third-party vendors.
MITRE Techniques
- [T1598] Phishing for Information – Employed through phishing infrastructure and credential harvesting: (‘build new infrastructure for likely use in phishing campaigns and/or credential harvesting’)
- [T1608] Stage Capabilities – Resource development used to stage phishing/harvesting capabilities via domain creation and hosting: (’94 new domains’)
Indicators of Compromise
- [Domains] Phishing/credential-harvesting infrastructure – bittechllc[.]net, clouddefsystems[.]com, and 92 more domains tied to BlueCharlie
- [IP addresses] Hosting and infrastructure associated with the campaign – 104.140.180[.]125, 192.3.111[.]149, and 80+ other IP addresses
Recorded Future’s Insikt Group observed that BlueCharlie built and registered a large set of domains (94 identified) and associated hosting to support credential-harvesting and phishing operations. The domain names mimic legitimate IT, storage, and document services to increase credibility for phishing lures and likely host credential collection pages; defenders should monitor and block these names and associated host IPs.
The group’s recent activity departs from earlier patterns, indicating deliberate TTP changes and improved operational security, likely in reaction to public reporting. Insikt maps the activity to recon and resource-development ATT&CK techniques (Phishing for Information T1598 and Stage Capabilities T1608), underscoring the dual focus on infrastructure staging and information collection.
Mitigation steps include strengthening email and web phishing defenses, enforcing FIDO2-compliant multi-factor authentication to prevent credential replay, consuming threat intelligence feeds to ingest domain/IP IOCs, and educating third-party vendors on the observed tactics. Use the provided IOC lists and MITRE mappings for detection, blocking, and hunting across mail gateways, web proxies, DNS logs, and endpoint telemetry.