Background
Star Blizzard, previously tracked as SEABORGIUM and Callisto, is a Russian state-sponsored threat group attributed to the Russian Federal Security Service (FSB) Center 18. The group has been active since at least 2017 and specializes almost exclusively in credential phishing operations targeting individuals and organizations of strategic interest to the Russian government.
Unlike many state-sponsored groups that deploy malware and exploit vulnerabilities, Star Blizzard operates primarily through social engineering โ building rapport with targets over email before directing them to convincing credential harvesting pages. This human-centric approach makes the group''s operations particularly difficult to detect through traditional technical security controls.
In October 2024, the U.S. Department of Justice and Microsoft jointly disrupted Star Blizzard operations by seizing over 180 domains used in spearphishing campaigns. The DOJ unsealed charges against two Russian FSB officers for their roles in the group''s campaigns targeting U.S. government officials, defense personnel, and journalists.
Notable Campaigns
UK Government and Think Tank Targeting (2019-2022) โ The UK National Cyber Security Centre (NCSC) documented sustained Star Blizzard campaigns targeting British government officials, think tank researchers, journalists, and academics. The group impersonated colleagues, journalists, and conference organizers to build trust before delivering credential harvesting links.
U.S. Election-Related Targeting (2022-2024) โ Star Blizzard targeted individuals associated with U.S. political campaigns, intelligence community personnel, and Department of Defense contractors. The group specifically focused on individuals with access to policy discussions about Russia and Ukraine.
NGO and Civil Society Targeting (2022-2024) โ Following Russia''s invasion of Ukraine, the group intensified targeting of NGOs, human rights organizations, and civil society groups supporting Ukraine. Campaigns targeted organizations providing humanitarian aid, documenting war crimes, and advocating for sanctions.
Domain Seizure and Rebuild (2024) โ After Microsoft and DOJ seized over 180 domains in October 2024, Star Blizzard rapidly rebuilt infrastructure and continued operations within weeks, demonstrating organizational resilience and dedicated resources.
Tactics, Techniques & Procedures
Star Blizzard''s operations center on highly targeted spearphishing. The group conducts extensive open-source research on targets, creating detailed profiles from social media, professional networks, and published works. Initial contact emails are benign โ the group builds rapport through multiple exchanges before introducing a malicious link.
Credential harvesting pages are hosted on attacker-controlled domains that closely mimic legitimate login portals (Microsoft 365, Google Workspace, ProtonMail). The group uses EvilGinx-style adversary-in-the-middle frameworks to capture both credentials and session tokens, enabling bypass of multi-factor authentication.
Once credentials are compromised, Star Blizzard accesses email accounts to exfiltrate communications, contacts, and documents. The group also uses compromised accounts to launch further phishing campaigns against the victim''s contacts, leveraging established trust relationships.
Tools & Malware
Custom Credential Harvesting Infrastructure โ Bespoke phishing pages mimicking major email providers. Pages are hosted on lookalike domains registered through privacy-protecting registrars. The infrastructure supports adversary-in-the-middle attacks for MFA bypass.
EvilGinx-derived Frameworks โ Adversary-in-the-middle proxy tools that intercept authentication flows in real-time, capturing session cookies and tokens even when MFA is enabled.
Open-source Reconnaissance Tools โ The group uses standard OSINT tools and techniques to research targets before engagement, building detailed profiles from LinkedIn, academic publications, and social media.
Email Account Exploitation โ Once access is obtained, Star Blizzard uses native email platform features (mail rules, forwarding, delegated access) for persistent email monitoring without deploying any malware.
Indicators & Detection
Star Blizzard''s operations are primarily detected through email security controls. Monitor for inbound emails from newly registered domains that mimic legitimate organizations. Implement DMARC, DKIM, and SPF enforcement to reduce spoofed sender success rates.
Watch for credential harvesting page indicators: domains registered within the last 30 days that visually mimic Microsoft 365, Google Workspace, or ProtonMail login pages. Implement phishing-resistant MFA (FIDO2/WebAuthn) which is immune to adversary-in-the-middle attacks.
User awareness is critical for Star Blizzard defense โ the group''s social engineering approach means that technical controls alone are insufficient. Train high-risk users (government officials, researchers, journalists covering Russia) to verify unsolicited contacts through independent channels and to be suspicious of unexpected login prompts.