3 August 2023

Russia-linked BlueCharlie APT evolves tactics as it adapts to public disclosures


Russia-linked BlueCharlie APT evolves tactics as it adapts to public disclosures

A Russia-linked threat group known as BlueCharlie, Callisto, Coldriver, Star Blizzard or Seaborgium has created roughly 100 new domains since March 2023, indicating that the group is swiftly adapting its infrastructure in response to public disclosures.

Active since 2017, the threat actor focused on cyber espionage and hack-and-leak operations. The group has been known to target individuals and organizations in North Atlantic Treaty Organization (NATO) nations, entities in Ukraine, government institutions, higher education, defense, and political sectors, non-governmental organizations (NGOs), activists, journalists, think tanks, and national laboratories.

Most recently, Recorded Future’s Insikt Group has observed BlueCharlie building new infrastructure for likely use in phishing campaigns and/or credential harvesting, which consists of 94 new domains.

“Several of the TTPs currently seen in the recent operation depart from past activity, suggesting that BlueCharlie is evolving its operations, potentially in response to public disclosures of its operations in industry reporting,” the researchers wrote in a report. “Since Insikt Group’s initial tracking of the group in September 2022, we have observed BlueCharlie engage in several TTP shifts. These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers. Some of the changes in TTPs were also likely precipitated by the threat group’s increased awareness of operations security (OPSEC).”

Since mid-December 2022, the threat actor has changed its Tactics, Techniques and Procedures (TTPs) following the reports exposing its cyber activities. More specifically, the group changed the naming pattern for its domains using domain-naming themes related to information technology and cryptocurrency.

78 of the 94 new domains are said to have been registered using NameCheap. Some of the other domain registrars used include Porkbun and Regway.

“BlueCharlie has demonstrated the ability to adapt and evolve over time to public reporting, and will likely continue to change their TTPs based on past precedent,” the researchers commented.


Back to the list

Latest Posts

Cyber Security Week in Review: December 20, 2024

Cyber Security Week in Review: December 20, 2024

In brief: A suspected Russian cyberattack hits Ukraine's state registries, new ICS malware targets Mitsubishi and Siemens systems, and more.
20 December 2024
Major phishing campaign abuses HubSpot to steal credentials from European firms

Major phishing campaign abuses HubSpot to steal credentials from European firms

The attackers exploited the service’s legitimate functionality to create convincing phishing pages.
19 December 2024
UAC-0125 malware campaign targeting Ukrainian military personnel

UAC-0125 malware campaign targeting Ukrainian military personnel

Victims are lured to fraudulent websites offering to download a malicious version of the Army+ app.
19 December 2024