• Thu. Oct 12th, 2023

BlueCharlie, a Russian Cyberterrorist, Modifies Infrastructure in Reaction to Recent Revelations

Avatar photo

ByEsme Greene

Aug 31, 2023
Russian Cyberterrorist Alters Infrastructure
Esme Greene
Latest posts by Esme Greene (see all)

The updated infrastructure was connected by the cybersecurity company Recorded Future to a threat actor it monitors by the name of BlueCharlie, a hacker group also known as Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (previously SEABORGIUM), and TA446. Threat Activity Group 53 (TAG-53) was BlueCharlie’s prior working name.

The threat actor BlueCharlie has been connected to phishing campaigns that target credential theft by using domains that pose as the login pages of private sector companies, nuclear research labs, and NGOs working to aid in the relief of the Ukraine crisis. BlueCharlie is believed to be affiliated with Russia’s Federal Security Service (FSB). It’s reportedly been operational since at least 2017.

Sekoia highlighted earlier this year that “Calisto collection activities probably contribute to Russian efforts to disrupt Kiev’s supply-chain for military reinforcements.” Additionally, it’s possible that Russian intelligence agencies are gathering information on evidence of war crimes in order to prepare a defense against any allegations.

The Hidden Connections

NISOS uncovered probable links between the group’s assault infrastructure and a Russian firm that works with local governments in a different study that was released in January 2023. Recorded Future stated that “BlueCharlie has carried out persistent phishing and credential theft campaigns that further enable intrusions and data theft,” adding that the actor undertakes thorough reconnaissance to maximize the chance of its assaults’ success.

The most recent research shows that BlueCharlie has changed the naming convention for its domains including terms associated with e-commerce and cryptocurrencies, including cloudrootstorage.com, directexpressgateway.com, storagecryptogate.com, and pdfsecxcloudroute.com.

According to reports, 78 of the 94 new domains were registered using NameCheap. Porkbun and Regway are two other domain registrars that have been utilized. It is advised that enterprises install phishing-resistant multi-factor authentication (MFA), deactivate macros by default in Microsoft Office, and impose a regular password reset policy to reduce dangers presented by state-sponsored advanced persistent threat (APT) groups.

The organization employs fairly standard methods of attack (like the application of phishing and a historical reliance on open-source insulting safety tools), but it is probable to keep employing these strategies, and its determined posture and forward-thinking development of its tactics indicates that the organization stays powerful and capable,” the company said.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.