Blog entry by Les Bell

Les Bell
NCSC Reports on Russian Threat Group; UK Government Applies Sanctions
by Les Bell - Friday, 8 December 2023, 10:17 AM
Anyone in the world

The activities of a threat actor affialiated with the Russian Federal Security Service (FSB) have been detailed in a new report prepared by the UK's Nactional Cyber Security Centre and international partners, while the British Foreign Secretary has described their activies as "completely unacceptable", and two individuals have been designated under the UK's cyber sanctions regimen.

The domes of the Kremlin.

According to junior Foreign Office minister Leo Docherty, speaking to the House of Commons, the FSB "is behind a sustained effort to interfere in our democratic processes. They have targeted members of this house and the House of Lords. They have been targeting civil servants, journalists and NGO's. They have been targeting high-profile individuals and entities with a clear intent - using information they obtain to meddle in British politics".

Doherty singled out an FSB unit called Centre 18, which is associated with a threat group tracked by Microsoft as Star Blizzard (previously SEABORGIUM, and also known as Callisto Group, TA446 and COLDRIVER). The group has "selectively leaked and amplified the release of sensitive information in service of Russia's goals of confrontation", including an earlier release of documents related to UK-US trade.

Although today's disclosures in the British Parliament primarily relate to Star Blizzard's efforts against the UK, the group is known to target other countries in the NATO alliance - principally the US, but also the Baltic states, Scandinavia and Eastern Europe - as well as Ukraine in the lead-up to the invasion there. No surprise, then, that a number of international partners have collaborated with the UK's NCSC to prepare a report on the TTP's employed by Star Blizzard.

The group employs a 'low and slow' approach to profiling their targets, who are generally in academia, defence, government organisations, NGO's, think tanks and, of course, politicians, using open-source resources such as social media and professional networking platforms. In particular, they catalogue the targets' interests and their real-world social or professional targets.

This information is used to create email and social media accounts masquerading as known contacts and industry experts. These may be used to lend credence to spoofed invitations to conferences or industry events as a lure in spear phishing emails, but first, Star Blizzard takes time to build trust through an exchange of benign correspondence, and also favours using personal email addresses in order to bypass controls in place on enterprise networks.

The actual attack is accomplished via spear phishing, typically via a link to a malicious web site or document. Access to this will require the victim to enter their account credentials into an actor-controlled web server running the EvilGinx framework, allowing the threat actor to harvest credentials and session cookies, thereby bypassing multi-factor authentication.

The credentials are then used to log into the victim's email account, from which they can harvest emails and attachments, and also set up mail forwarding rules, allowing them to easily monitor all future correspondence. The NCSC report maps all of the tactics and techniques to the MITRE ATT&CK framework. The mitigations are fairly obvious:

  • Good password hygiene (strong passphrases, no password re-use across services)
  • Use of phishing-resistant multi-factor authentication (security keys, passkeys when available)
  • Enabling email providers' advanced email scanning and protection features
  • Disabling mail forwarding rules and reviewing this setting periodically to detect changes
  • Finally, the tough one: eternal vigilance by users - being alert for subtle differences in email addresses, such as the use of a generic webmail service when previous correspondence has come from an enterprise domain and checking via an alternative channel such as phone if suspicious

Mason, Rowena, Russian spies targeting UK MPs and media with ‘cyber interference’, The Guardian, 7 December 2023. Available online at https://www.theguardian.com/politics/2023/dec/07/russian-spies-targeting-uk-mps-and-media-with-cyber-interference.

Microsoft Digital Threat Analysis Center, Disrupting SEABORGIUM’s ongoing phishing operations, threat intelligence report, 15 August 2022. Available online at https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/.

NCSC, Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns, advisory, 7 December 2023. Available online at https://www.ncsc.gov.uk/files/Advisory-Russian-FSB-cyber-actor-star-blizzard-continues-worldwide-spear-sphishing-campaigns.pdf.


Upcoming Courses

  • SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
  • SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
  • SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
  • SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink