A cyber adversary with ties to Russia has added 94 new domains to its network, suggesting that the group is actively adjusting its infrastructure in the wake of public revelations about its operations.
Recorded Future, a cybersecurity company, attributed the new infrastructure to a threat actor it identifies as BlueCharlie, a hacking collective that’s widely recognized under various names such as Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (previously SEABORGIUM), and TA446. The designation Threat Activity Group 53 (TAG-53) had been temporarily assigned to BlueCharlie in the past.
“These adaptations indicate that these threat actors are cognizant of industry reports and exhibit a certain level of sophistication in their attempts to conceal or modify their operations to frustrate cybersecurity researchers,” Recorded Future revealed in a fresh technical report shared with The Hacker News.
BlueCharlie is believed to be associated with Russia’s Federal Security Service (FSB), and the threat actor is linked to phishing operations aimed at credential theft. These operations typically employ domains that pose as login pages for private corporations, nuclear research facilities, and NGOs engaged in relief efforts for the Ukraine crisis. The group’s activities date back to at least 2017.
“Callisto’s collection activities likely support Russian initiatives to disrupt Kiev’s supply-chain for military reinforcements,” Sekoia suggested earlier this year. “In addition, Russian intelligence likely conducts information gathering on identified evidence related to war crimes to preempt and construct counter narratives for potential future allegations.”
BlueCharlie In January 2023, NISOS published a report identifying possible links between the group’s attack infrastructure and a Russian company that engages in governmental contracts within the country.
“BlueCharlie has consistently launched phishing and credential theft campaigns that facilitate further breaches and data theft,” Recorded Future stated, highlighting the actor’s thorough reconnaissance efforts to boost the success rate of its attacks.
The most recent findings show that BlueCharlie has transitioned to a new domain naming pattern, featuring IT and cryptocurrency-related keywords, such as cloudrootstorage[.]com, directexpressgateway[.]com, storagecryptogate[.]com, and pdfsecxcloudroute[.]com.
It is reported that 78 of the 94 new domains were registered using NameCheap, with other domain registrars including Porkbun and Regway.
To defend against the threats posed by state-backed advanced persistent threat (APT) groups, organizations are advised to adopt phishing-resistant multi-factor authentication (MFA), disable macros by default in Microsoft Office, and enforce a regular password reset policy.
“Despite the group’s use of fairly standard attack techniques (such as phishing and a historical reliance on open-source offensive security tools), the group’s sustained commitment, evolving tactics, and likely continued use of these methods indicate that it remains a potent and capable threat,” the company concluded.”
