Russian APT Operation: Star Blizzard – SOCRadar® Cyber Intelligence Inc.

MITRE Techniques

• [T1593] Search Open Websites/Domains – Star Blizzard uses open-source research and social media to identify information about victims to use in targeting. ‘uses open-source research and social media to identify information about victims to use in targeting.’
• [T1589] Gather Victim Identity Information – Star Blizzard uses online data sets and open-source resources to gather information about their targets. ‘online data sets and open-source resources to gather information about their targets.’
• [T1585.001] Establish Accounts: Social Media Accounts – Star Blizzard has been observed establishing fraudulent profiles on professional networking sites to conduct reconnaissance. ‘establishing fraudulent profiles on professional networking sites to conduct reconnaissance.’
• [T1585.002] Establish Accounts: Email Accounts – Star Blizzard registers consumer email accounts matching the names of individuals they are impersonating to conduct spear-phishing activity. ‘registers consumer email accounts matching the names of individuals they are impersonating to conduct spear-phishing activity.’
• [T1583.001] Acquire Infrastructure: Domains – Star Blizzard registers domains to host their phishing framework. ‘registers domains to host their phishing framework.’
• [T1586.002] Compromise Accounts: Email Accounts – Star Blizzard has been observed using compromised victim email accounts to conduct spear-phishing activity against contacts of the original victim. ‘using compromised victim email accounts to conduct spear-phishing activity against contacts of the original victim.’
• [T1078] Valid Accounts – Star Blizzard uses compromised credentials, captured from fake log-in pages, to log in to valid victim user accounts. ‘compromised credentials, captured from fake log-in pages, to log in to valid victim user accounts.’
• [T1566.001] Phishing: Spear-phishing Attachment – Star Blizzard uses malicious links embedded in email attachments to direct victims to their credential-stealing sites. ‘malicious links embedded in email attachments to direct victims to their credential-stealing sites.’
• [T1566.002] Phishing: Spear-phishing Link – Star Blizzard sends spear-phishing emails with malicious links directly to credential-stealing sites, or to documents hosted on a file-sharing site. ‘spear-phishing emails with malicious links directly to credential-stealing sites, or to documents hosted on a file-sharing site.’
• [T1550.004] Use Alternate Authentication Material: Web Session Cookie – Star Blizzard bypasses multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx. ‘bypasses multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx.’
• [T1539] Steal Web Session Cookie – Star Blizzard uses EvilGinx to steal the session cookies of victims directed to their fake log-in domains. ‘uses EvilGinx to steal the session cookies of victims directed to their fake log-in domains.’
• [T1114.002] Email Collection: Remote Email Collection – Star Blizzard interacts directly with externally facing Exchange services, Office 365 and Google Workspace to access email and steal information using compromised credentials or access tokens. ‘interacts directly with externally facing Exchange services, Office 365 and Google Workspace to access email and steal information using compromised credentials or access tokens.’
• [T1114.003] Email Collection: Email Forwarding Rule – Star Blizzard abuses email-forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access to victim’s emails, even after compromised credentials are reset. ‘abuses email-forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access to victim’s emails.’