Russian Cyber Adversary BlueCharlie Alters Infrastructure in Response to Disclosures
A Russia-nexus adversary has been linked to 94 new domains starting March 2023, suggesting that the group is actively modifying its infrastructure in response to public disclosures about its activities.
Cybersecurity firm Recorded Future linked the revamped infrastructure to a threat actor it tracks under the name?BlueCharlie , a hacking crew that's broadly known by the names Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (formerly SEABORGIUM), and TA446. BlueCharlie was previously given the temporary designation Threat Activity Group 53 (TAG-53).
"These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers," the company?said ?in a technical report.
BlueCharlie is assessed to be affiliated with Russia's Federal Security Service (FSB), with the threat actor linked to phishing campaigns aimed at?credential theft ?by making use of domains that?masquerade ?as the login pages of private sector companies, nuclear research labs, and NGOs involved in Ukraine crisis relief. It's said to be active?since at least 2017 .
"Calisto collection activities probably contribute to Russian efforts to disrupt Kiev supply-chain for military reinforcements," Sekoia?noted ?earlier this year. "Moreover, Russian intelligence collection about identi?ed war crime-related evidence is likely conducted to anticipate and build counter narrative on future accusations."
领英推荐
Another report published by NISOS in January 2023?identified ?potential connections between the group's attack infrastructure to a Russian company that contracts with governmental entities in the country.
"BlueCharlie has carried out persistent phishing and credential theft campaigns that further enable intrusions and data theft," Recorded Future said, adding the actor conducts extensive reconnaissance to increase the likelihood of success of its attacks.
The latest findings reveal that BlueCharlie has moved to a new naming pattern for its domains featuring keywords related to information technology and cryptocurrency, such as cloudrootstorage[.]com, directexpressgateway[.]com, storagecryptogate[.]com, and pdfsecxcloudroute[.]com.
Seventy-eight of the 94 new domains are said to have been registered using NameCheap. Some of the other domain registrars used include Porkbun and Regway.
To mitigate threats posed by state-sponsored advanced persistent threat (APT) groups, it's recommended that organizations implement phishing-resistant multi-factor authentication (MFA), disable macros by default in Microsoft Office, and enforce a frequent password reset policy.
"While the group uses relatively common techniques to conduct attacks (such as the use of phishing and a historical reliance on open-source offensive security tools), its likely continued use of these methods, determined posture, and progressive evolution of tactics suggests the group remains formidable and capable," the company said.
Next Trend Realty LLC./wwwHar.com/Chester-Swanson/agent_cbswan
1 年Thanks for the updates on, The Daily Cyber Security News ?? ??.