The Russia-linked Star Blizzard APT earlier this yr focused French press freedom group Reporters With out Borders (RSF), Sekoia reviews.
The assault occurred in March and was carried out through a phishing e-mail concentrating on one in every of RSF’s core members.
Star Blizzard used a ProtonMail tackle and spoofed a recipient’s trusted contact, asking them to evaluate an connected doc. On goal, the Russian hackers didn’t connect the doc, and as an alternative waited for the recipient to reply and ask for it, Sekoia notes.
The second e-mail contained a hyperlink to a compromised web site that redirected to a PDF hosted on ProtonDrive. Nevertheless, the PDF file couldn’t be retrieved, as Proton had blocked the operator’s account.
As a part of the assault towards Reporters With out Borders, the Star Blizzard APT despatched phishing emails in each French and English and used peace negotiation themes to lure the supposed sufferer into clicking on the malicious hyperlink.
Star Blizzard’s phishing package targets ProtonMail accounts
In a second assault involving a unique group, the menace actor connected a ZIP archive posing as a PDF file to its phishing e-mail.
The file displayed a message claiming the doc was encrypted, luring the sufferer into clicking a hyperlink to a compromised web site that redirected to a phishing package.
In response to Sekoia, the package was designed to focus on ProtonMail accounts and may relay two-factor authentication.Commercial. Scroll to proceed studying.
Possible home made, the package permits the APT to inject malicious JavaScript into the sufferer’s sign-in web page, utilizing an adversary-in-the-middle (AiTM) approach.
The modified sign-in web page has the username pre-filled and retains the sufferer’s cursor targeted on the password discipline.
Extra complicated code injected into the web page interacts with an attacker-controlled API that processes the credentials and acts as an middleman between the consumer and the reliable ProtonMail authentication interface.
The recent assaults, Sekoia says, are a continuation of Star Blizzard’s spear-phishing campaigns that make use of the ClickFix approach.
“If you’re an NGO concerned in Ukraine, or a person or researcher with intelligence on this battle and partnering with Ukrainian our bodies, you’re probably one of many targets of this menace actor,” Sekoia notes.
Additionally tracked as UNC4057, Callisto, ColdRiver, and Seaborgium, the Star Blizzard APT has been energetic since at the least 2019, concentrating on authorities entities, educational organizations, NGOs, and suppose tanks.
In 2023, the US authorities publicly linked the hacking group to Russia’s Federal Safety Service (FSB). Earlier this yr, it was seen utilizing the LostKeys malware in assaults towards authorities and navy advisors, journalists, suppose tanks, and non-profits.
Associated: Russian APT Switches to New Backdoor After Malware Uncovered by Researchers
Associated: Russian Authorities Hackers Caught Shopping for Passwords from Cybercriminals
Associated: US and Allies Sanction Russian Bulletproof Internet hosting Service Suppliers
Associated: Harmful Russian Cyberattacks on Ukraine Develop to Grain Sector
