Russia-based hackers building new attack infrastructure to stay ahead of public reporting

A Russia-based hacking group implicated in previous attacks on governments is shifting its tactics due to increased public reporting by security researchers and tech giants like Microsoft and Google.

In a report from Recorded Future, researchers said that since March 2023, the group tracked as BlueCharlie has built new infrastructure to launch attacks against a variety of targets.

The Record is an editorially independent unit of Recorded Future.

BlueCharlie’s goal is information gathering and credential theft, as well as hack-and-leak operations targeting Ukraine and North Atlantic Treaty Organization (NATO) nations.

The group — tracked by several companies as Calisto, COLDRIVER or Star Blizzard/SEABORGIUM — has previously targeted an array of government, higher education, defense, and political sector entities, as well as non-governmental organizations (NGOs), activists, journalists, think-tanks and national laboratories.

Recorded Future’s Insikt Group was not able to determine who was targeted in this campaign but said they have seen it register 94 new domains as part of its new infrastructure building.

“Several of the tactics, techniques, and procedures currently seen in the recent operation depart from past activity, suggesting that BlueCharlie is evolving its operations, potentially in response to public disclosures of its operations in industry reporting,” the researchers said.

“BlueCharlie continues to build new infrastructure in the pursuit of phishing campaigns and credential harvesting, and it continues to favor certain elements such as the use of preferred registrars, ASNs [Autonomous System Numbers], and a certificate authority.”

The espionage-focused group has updated its tools repeatedly since researchers began tracking them in September 2022, suggesting they are closely watching how the security industry discusses them.

The group uses relatively simple techniques like phishing and open-source offensive security tools to conduct their attacks but the researchers warned that they are “formidable and capable” based on their ability to evolve quickly and change tactics.

In February, Google’s Threat Analysis Group and its Mandiant cybersecurity division said the group was involved in a 2022 hack-and-leak operation targeting the U.K. Between August and September 2022, the group targeted three U.S. nuclear research labs by creating fake login pages for each lab and sending emails to nuclear scientists trying to trick them into giving away their passwords.

The group also spoofed the Microsoft login page of a U.S. military weapons and hardware supplier as a phishing lure.

In May 20022, Reuters reported that the group was behind a hack-and-leak operation that tried to build a narrative around high-level Brexit proponents planning a coup. The group has also been implicated in other campaigns targeting experts in Russian affairs, Russian citizens abroad and former intelligence officials, Microsoft researchers said.

Since Recorded Future’s first report on the group, BlueCharlie actors used different names for their fake domains and starting in December 2022 used themes around cryptocurrency and information technology. In the 94 new domains, the group also shifted away from what is called a “trailing URL structure” — where the hackers used URLs that resemble legitimate websites but end in a series of periods.

Now, the group uses hyphenated words in their URLs to spoof legitimate organizations. Examples listed in the report include “cloud-safety[.]online.”

“This shift in tactics away from trailing URL structures to the new hyphenated, random-word naming convention has stymied the identification of victims and targeting by the group in this most recent campaign,” the researchers said.

The group has also shifted away from registering their domains with Porkbun and now overwhelmingly use NameCheap, with 78 out of the 94 domains registered with the company. The group previously used some combination of Porkbun, NameCheap, Regway, and REG RU.

BlueCharlie also uses platforms like Stark Industries, MIRhosting, and Perfect Quality (PQ) Hosting — all of which are in some way related to Moldovan national Ivan Neculiti — as part of their attack infrastructure. [Editor's Note: Following publication of this story, Ivan Neculiti contacted Recorded Future News and denied any involvement in these activities. The Record does not allege that Ivan Neculiti is directly involved with these malicious activities; instead Neculiti's association with the above listed platforms is substantiated by open source information and is a commonality on the platforms highlighted above.]

The researchers note that the group “likely uses open sources to conduct extensive reconnaissance in advance of intrusion operations in order to improve the likelihood that its spearphishing operations will succeed.”

It was previously implicated in campaigns that involved fake profiles on social media sites like LinkedIn, allowing the hackers to do research on their targets before attacks.

BlueCharlie also has ties to other Russian groups that have been operating since 2017 and at least one Russian national, Andrey Korinets, has been connectedto the group, according to cybersecurity company Nisos.