In recent developments, the Russian cyber group known as Star Blizzard has incorporated the DarkSword iOS exploit kit into its ongoing operations, according to a report by cybersecurity firm Proofpoint. This group, identified as an Advanced Persistent Threat (APT), is associated with Russian intelligence and operates under various aliases including Callisto, ColdRiver, SeaBorgium, and TA446.
Star Blizzard’s Recent Activities
On March 26, Proofpoint detected a surge in email campaigns from Star Blizzard, originating from various compromised email addresses. This campaign was notable for its increased volume compared to the group’s typical activities, suggesting a shift in their operational strategy. Instead of utilizing malicious attachments, the emails included links, marking a change in their approach.
Malfors, an investigation platform, highlighted the use of Atlantic Council-themed lures in these emails, which delivered malware linked to DarkSword. Proofpoint’s analysis indicates that the automated systems were redirected to a harmless decoy PDF, likely due to server-side filtering designed to target iPhone users specifically.
Integration of DarkSword Exploit Kit
Proofpoint has confirmed indications that Star Blizzard has added the DarkSword iOS exploit kit to its toolkit. This marks their first attempt at targeting iCloud accounts and Apple devices. Evidence includes a DarkSword loader found on VirusTotal, linked to a domain associated with the group, and submissions on URLScan reflecting the exploit’s use.
The exploit kit’s delivery has not been directly observed, but it is believed to be employed for credential harvesting and intelligence gathering. This new capability aligns with the Atlantic Council-themed campaign, targeting sectors like finance, government, higher education, and legal institutions.
Implications and Future Outlook
The adoption of the DarkSword exploit kit by Star Blizzard underscores a significant evolution in their cyberattack strategies. This development is part of a broader trend of Russian APTs leveraging leaked exploits for enhanced cyber operations. As these tactics continue to evolve, cybersecurity firms remain vigilant in monitoring and mitigating such threats.
Related reports also highlight other Russian cyber activities, such as exploiting Zimbra vulnerabilities against Ukraine and deploying new malware using ClickFix. As cyber threats persist, ongoing research and collaboration are essential to defending against sophisticated state-sponsored campaigns.
