Description
[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard)(Citation: Google TAG COLDRIVER January 2024)
Techniques Used (TTPs)
- T1583.001 — Domains (resource-development)
- T1114.002 — Remote Email Collection (collection)
- T1550.004 — Web Session Cookie (defense-evasion, lateral-movement)
- T1204.002 — Malicious File (execution)
- T1608.001 — Upload Malware (resource-development)
- T1539 — Steal Web Session Cookie (credential-access)
- T1589 — Gather Victim Identity Information (reconnaissance)
- T1585.002 — Email Accounts (resource-development)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1598.002 — Spearphishing Attachment (reconnaissance)
- T1598.003 — Spearphishing Link (reconnaissance)
- T1588.002 — Tool (resource-development)
- T1583 — Acquire Infrastructure (resource-development)
- T1114.003 — Email Forwarding Rule (collection)
- T1585.001 — Social Media Accounts (resource-development)
- T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1586.002 — Email Accounts (resource-development)
- T1059.007 — JavaScript (execution)
- T1593 — Search Open Websites/Domains (reconnaissance)
Total TTPs: 19
Malware & Tools
Malware: Spica