Through the years, TAG has analyzed a variety of persistent threats together with COLDRIVER (also referred to as UNC4057, Star Blizzard and Callisto), a Russian menace group centered on credential phishing actions towards excessive profile people in NGOs, former intelligence and navy officers, and NATO governments. For years, TAG has been countering and reporting on this group’s efforts to conduct espionage aligned with the pursuits of the Russian authorities. So as to add to the group’s understanding of COLDRIVER exercise, we’re shining mild on their prolonged capabilities which now contains the usage of malware.
COLDRIVER continues its concentrate on credential phishing towards Ukraine, NATO international locations, educational establishments and NGOs. So as to acquire the belief of targets, COLDRIVER usually makes use of impersonation accounts, pretending to be an knowledgeable in a specific area or in some way affiliated with the goal. The impersonation account is then used to determine a rapport with the goal, growing the probability of the phishing marketing campaign’s success, and ultimately sends a phishing hyperlink or doc containing a hyperlink. Just lately revealed info on COLDRIVER highlights the group’s evolving techniques, methods and procedures (TTPs), to enhance its detection evasion capabilities.
Just lately, TAG has noticed COLDRIVER proceed this evolution by going past phishing for credentials, to delivering malware through campaigns utilizing PDFs as lure paperwork. TAG has disrupted the next marketing campaign by including all identified domains and hashes to Protected Searching blocklists.
