The UK and allies have attributed a series of malicious cyber events which attempted to interfere in UK politics and the democratic process to a division of the Russian Federal Security Service (FSB).
The National Cyber Security Centre (NCSC) assesses that Star Blizzard has been identified using cyber operations to target high-profile individuals and entities.
The malicious activity has included:
- Targeting of UK parliamentarians from multiple political parties, from at least 2015 to this year
- The compromise of UK-US trade documents that were leaked ahead of the 2019 General Election
- The 2018 compromise of the Institute for Statecraft, a UK thinktank whose work included initiatives to defend democracy against disinformation
- The recent hack the Institute for Statecraft’s founder Christopher Donnelly, whose account was compromised from December 2021
- Targeting of universities, journalists, public sector, NGOs and other Civil Society organisations, many of whom play a key role in UK democracy.
The group has also selectively leaked information obtained through its operations and amplified the release in line with Russian confrontation goals, including to undermine trust in politics in the UK and like-minded states.
To support the announcement, the NCSC and partners from the United States, Australia, Canada and New Zealand, have issued a new cyber security advisory, sharing technical details about how the actors carry out their attacks and how targets can defend against them.
Who is Star Blizzard?
Star Blizzard – also known as Callisto Group, Cold River and formerly Seaborgium, is almost certainly a subordinate group to Centre 18 of Russia’s Federal Security Service (FSB).
FSB
The Federal Security Service of the Russian Federation (FSB) is the principal security agency of Russia and the main successor agency to the Soviet Union’s KGB. Its immediate predecessor was the Federal Counterintelligence Service (FSK) which was reorganized into the FSB in 1995.
Vladimir Putin served as director of the FSB between 1998 & 1999. When he became the Russian President he placed the FSB under the direct control of the President.
Microsoft Threat Intelligence reports state that Star Blizzard have historically supported both espionage and cyber influence objectives, and continue to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests.
Microsoft has identified five new Star Blizzard evasive techniques:
- Use of server-side scripts to prevent automated scanning of actor-controlled infrastructure.
- Use of email marketing platform services to hide true email sender addresses and obviate the need for including actor-controlled domain infrastructure in email messages
- Use of a DNS provider to obscure the IP addresses of actor-controlled virtual private server (VPS) infrastructure. Once notified, the DNS provider took action to mitigate actor-controlled domains abusing their service.
- Password-protected PDF lures or links to cloud-based file-sharing platforms where PDF lures are hosted
- Shifting to a more randomized domain generation algorithm (DGA) for actor-registered domains