×

Irish Information Security Forum

BlueCharlie cyber nexus continues to Deploy Infrastructure

Source: Insikt Group - Cyber Threat Analysis

 

Since at least March 2023, Insikt Group has tracked new infrastructure that they attribute as associated with the threat activity group BlueCharlie, a group that has overlaps with the Russia-nexus group publicly known as Callisto/Calisto, COLDRIVER, and Star Blizzard/SEABORGIUM.

 

"We previously tracked this threat activity under the temporary designator TAG-53. We are now graduating this threat cluster to the cryptonym 'BlueCharlie' due to overlapping tactics, techniques, and procedures (TTPs) and our increased confidence that the activities we have observed are conducted by a Russia-based threat actor."

 

Insikt Group has observed BlueCharlie build new infrastructure, which includes 94 new domains.

 

Several of the TTPs currently seen in the recent operation depart from past activity, suggesting that BlueCharlie is evolving its operations, potentially in response to public disclosures of its operations in industry reporting. Since Insikt Group’s initial tracking of the group in September 2022, they have observed BlueCharlie engage in several TTP shifts. These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers. Some of the changes in TTPs were also likely precipitated by the threat group’s increased awareness of operations security (OPSEC).

 

While Insikt Group was unable to determine victimology or targeting for this campaign at the time of this report, BlueCharlie has in the past targeted entities in the government, higher education, defense, and political sectors, as well as non-governmental organizations (NGOs), activists, journalists, think tanks, and national laboratories.

 

Potential victims in those sectors should improve their phishing defenses, implement FIDO2-compliant multi-factor authentication, use threat intelligence and attack surface intelligence for rapid and complete information, and educate third-party vendors on the risks involved. Failure to do so may result in the loss of credentials to business-critical resources, leaking of proprietary information related to business or national security, and damage to brand reputation for suffering a breach.

 

Key Findings

  • BlueCharlie continues to build new infrastructure in the pursuit of phishing campaigns and credential harvesting, and it continues to favor certain elements such as the use of preferred registrars, ASNs, and a certificate authority.
  • While the group uses relatively common techniques to conduct attacks (such as the use of phishing and a historical reliance on open-source offensive security tools), its likely continued use of these methods, determined posture, and progressive evolution of tactics suggests the group remains formidable and capable.
  • Given the group’s observed operational tempo and willingness to adapt to public reporting on its activity, we expect to see BlueCharlie continue operations for the foreseeable future. We similarly expect the group to continue to evolve its TTPs based on precedent.

 

Download the full report

BlueCharlie Russian hacker nexus threat analysis

 

IISF Logo

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

 


FORUM SPONSORS

We would like to thank these generous sponsors for their support. 

crowdstrike logo

zscaler logo

 

 

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more

 

secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy Statement  - Sponsorship  - Cybersecurity News Topics  - Cybersecurity Resources  - Produced by
LinkedIn Twitter