“Star Blizzard” FSB team called out by Five Eyes governments (again).

The U.S. and UK, backed by Australia, Canada and New Zealand, have revealed more about an “advanced” Russian phishing campaign. It targets “academia, defense, governmental organizations, non-governmental organizations, think tanks and high-profile individuals.”

The UK was the first to release the accusations—because time zones, presumably. In today’s SB Blogwatch, we unpick the latest.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: PDP 11/73 resurrected.

TA446’s New TTPs

What’s the craic? Ellen Milligan and Ryan Gallagher report—“Russia Targeted Officials in Email-Hacking Campaign”:

“Since at least 2015”
The UK accused Russia’s main intelligence agency of seeking to hack the emails of British politicians and officials in an attempt to interfere in its democratic processes. … The intrusions include targeting personal email accounts and impersonation attempts against universities and media organizations. … Civil servants and journalists have also been targeted by Russia’s Federal Security Service, known as the FSB.
…
The UK added two Russian nationals to its sanctions list … for their alleged involvement in Star Blizzard, a cyber group the government says has been targeting UK politicians since at least 2015 and is linked to the FSB’s Center 18. … The FSB did not immediately respond to a request for comment.

Who are the two? And how do they do? Bill Toulas explains—“UK and allies expose Russian FSB hacking group, sanction members”:

“Aleksandrovich Peretuatko … and Andrey Stanislavovich Korinets, aka Alexey Doguzhiev”
The UK National Cyber Security Centre (NCSC) and Microsoft warn that the Russian state-backed actor “Callisto Group” (aka “Seaborgium” or “Star Blizzard”) is targeting organizations worldwide with spear-phishing campaigns. … The attackers source key information from social media platforms like LinkedIn and then approach their targets by emailing personal addresses.
…
After building rapport with the target over time, Callisto sends a malicious link embedded in a PDF document hosted on Google Drive or OneDrive, which takes the target to a phishing site. … The open-source EvilGinx proxy attack framework … steals both user credentials and session cookies, [allowing] Callisto to bypass two-factor authentication.
…
Agencies from the UK, US, Australia, Canada, and New Zealand … identified two members of the Callisto hacking group: … Aleksandrovich Peretuatko, believed to be an FBS Center 18 intelligence officer, and Andrey Stanislavovich Korinets, aka “Alexey Doguzhiev.” The two are considered directly responsible for Callisto operations … resulting in unauthorized access and exfiltration of sensitive data.

Those names are straight out of central casting. Microsoft PR has TTPs—“Star Blizzard increases sophistication”:

“Evilginx”
Star Blizzard, whose activities we assess to have historically supported both espionage and cyber influence objectives, continues to prolifically target individuals and organizations involved in international affairs, defense … academia, information security companies, and other entities aligning with Russian state interests. … Star Blizzard has evolved to focus on improving its detection evasion capabilities [with] five new Star Blizzard evasive techniques.
…
We have observed Star Blizzard using two different services, HubSpot and MailerLite … to create an email campaign, which provides them with a dedicated subdomain on the service that is then used to create URLs. These URLs act as the entry point to a redirection chain ending at actor-controlled Evilginx server infrastructure.

Sauce for the goose? Spolmit pours it on:

I would imagine that we’re doing the same to them? The US will also be spying on us in exactly the same way they spied on Mrs. Merkel!

Of course they do. So says this Anonymous Coward:

But what sort of influence does Russia want? AmiMoJo notes the #1 example:

Russia has been 0wning the UK for a long time. Brexit was their greatest triumph.

Hopefully they can be stopped. u/y2jeff just laughs:

Don’t worry, there’s always China and TikTok. Pretty much every democracy is susceptible to information warfare. Dictatorships can ban any information they don’t like, hide behind their great firewalls, and simply lock up their opponents. But anywhere with free speech is ****ed.

But why now? mjwx isn’t so sure:

The thing is, there is a mountain of evidence that Russians have interfered in UK politics over the last decade. … Same all over Europe as far right causes—from Victor Orban in Hungary to AfD in Germany, 5 Star in Italy, Vox in Spain, to National Front in France—are all receiving assistance from Russian sources, all with the goal of destabilising the EU and Western Europe. Fortunately most Europeans grew up with Russian propaganda and the KGB trying to interfere in everything.

Old story, new techniques. u/Brnt_Vkng98871 salutes you:

It’s been going on longer than most people think. The NRA has been getting Russian money through various channels since the 1990’s. And that money gets donated to political campaigns. Somehow this is legal.

Meanwhile, VeryFluffyBunny snarks it up:

Are they sure it wasn’t just “Russian brides” cat-phishing gullible, lonely [politicians]?

And Finally:

tl;dw: Kinda.

Hat tip: Dave “Shayde” Shevett

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: DonkeyHotey (cc:by; leveled and cropped)