Threat actors are evolving their techniques and tools at a rapid pace that is completely changing the current threat scenario.
BlueCharlie is a Russia-linked threat group that has been active since 2017 and associated with several other names like:-
- Callisto
- ColdRiver
- Star Blizzard
- TA446
While this threat group, BlueCharlie (aka TAG-53), mainly focuses on espionage and leak operations.
Recently, researchers at Recorded Future linked 94 new domains from March 2023 to BlueCharlie, indicating infrastructure modifications in response to public disclosures.
BlueCharlie’s evolved TTPs and advanced infrastructure showcase adaptability to disclosures, enhancing operational security.
At the moment, their current targets are unknown, but their past targets are the following:-
- Government
- Defense
- Education
- Political sectors
- NGOs
- Journalists
- Think tanks
BlueCharlie Hacker Group New Infrastructure
Insikt Group notes BlueCharlie’s 94 new domains and changed TTPs, signifying evolution in response to industry disclosures, likely for phishing or credential harvesting.
Moreover, the Insikt Group has tracked BlueCharlie since Sep 2022, and since then, they have been witnessing multiple drastic TTP shifts.
Apart from this, major Shifts like these indicate the threat actors’ industry awareness and sophisticated obfuscation to prevent cybersecurity experts.
BlueCharlie adopts a new domain naming pattern with IT and crypto-related keywords like:-
- cloudrootstorage[.]com
- directexpressgateway[.]com
- storagecryptogate[.]com
- pdfsecxcloudroute[.]com
Out of 94 new domains, 78 were registered via NameCheap, and others are registered through the following registrar:-
- Porkbun
- Regway
Recommendations
Here below, we have mentioned all the recommendations offered by the security researchers:-
- The network defenders should improve their phishing defenses.
- Make sure to implement FIDO2-compliant multi-factor authentication.
- Use threat intelligence and report.
- Make sure to educate third-party vendors.
- In Microsoft Office, make sure to disable macros by default.
- Ensure to implement a frequent password reset policy.
Source: https://cybersecuritynews.com/bluecharlie-hacker-group-infrastructure/