Skip to content

Hide Navigation Hide TOC

Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410)

Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard)(Citation: Google TAG COLDRIVER January 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 1
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Web Session Cookie - T1550.004 (c3c8c916-2f3c-4e71-94b2-240bdfc996f0) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern 1
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern 1
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Spica - S1140 (824a230d-0f6a-4fd0-99df-8d464db2265e) Malware Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Star Blizzard - G1033 (9b36c218-4d80-4ec6-a68d-cc2886bbe410) Intrusion Set 1
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 2
Web Session Cookie - T1550.004 (c3c8c916-2f3c-4e71-94b2-240bdfc996f0) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern 2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 2
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2
Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern 2
Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 2
Spica - S1140 (824a230d-0f6a-4fd0-99df-8d464db2265e) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Spica - S1140 (824a230d-0f6a-4fd0-99df-8d464db2265e) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Spica - S1140 (824a230d-0f6a-4fd0-99df-8d464db2265e) Malware 2
Spica - S1140 (824a230d-0f6a-4fd0-99df-8d464db2265e) Malware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Spica - S1140 (824a230d-0f6a-4fd0-99df-8d464db2265e) Malware 2
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern Spica - S1140 (824a230d-0f6a-4fd0-99df-8d464db2265e) Malware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Spica - S1140 (824a230d-0f6a-4fd0-99df-8d464db2265e) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Spica - S1140 (824a230d-0f6a-4fd0-99df-8d464db2265e) Malware 2
Spica - S1140 (824a230d-0f6a-4fd0-99df-8d464db2265e) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3