Insikt Group has been tracking the threat activity group BlueCharlie, associated with the Russia-nexus group Callisto/Calisto, COLDRIVER, and Star Blizzard/SEABORGIUM. BlueCharlie, a Russia-linked threat group active since 2017, focuses on information gathering for espionage and hack-and-leak operations. BlueCharlie has evolved its tactics, techniques, and procedures (TTPs) and built new infrastructure, indicating sophistication in adapting to public disclosures and improving operations security. While specific victims are unknown, past targets include government, defense, education, political sectors, NGOs, journalists, and think tanks.
Breakdown of terms used in BlueCharlie activity since November 2022
Recently, Insikt Group observed BlueCharlie build new infrastructure for likely use in phishing campaigns and/or credential harvesting, which consists of 94 new domains. Several of the TTPs seen in the recent operation depart from past activity, suggesting that BlueCharlie is evolving its operations, potentially in response to public disclosures of its operations in industry reporting. Since Insikt Group’s initial tracking of the group in September 2022, we have observed BlueCharlie engage in several TTP shifts. These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers.
To counter BlueCharlie’s threat, network defenders should enhance phishing defenses, implement FIDO2-compliant multi-factor authentication, use threat intelligence, and educate third-party vendors. BlueCharlie’s continued use of phishing and its historical adaptation to public reporting suggest it will remain active and evolve further in its operations.
To read the entire analysis with endnotes, click here to download the report as a PDF.
Appendix A — Indicators of Compromise
BlueCharlie Domains: bittechllc[.]net centeritdefcity[.]com checkscreenit[.]com cloudcpanelhost[.]com clouddefsystems[.]com cloudrootstorage[.]com commandentrance[.]com computertechdirectsystems[.]com computingtechstudio[.]com configuregatewayglobal[.]com controlgatestorage[.]com controlsstoragedirect[.]com controlstoragesolutions[.]com cryptdatagate[.]com cryptoanalyzetech[.]com cryptotechdirect[.]com cryptothistech[.]com datagatellc[.]com datagatewayglobal[.]com datastoragecrypto[.]com definform[.]com deskactivitygm[.]com directdocumentgate[.]com directdocumentgateway[.]com directexpressgateway[.]com directstoragegate[.]com docsinfogate[.]com documentdirectllc[.]com documentdirectto[.]com entrywaycenter[.]com gateblurbrepository[.]com gatecryptospace[.]com gateinfosecure[.]com gatestoragetech[.]com gatewaydocsint[.]com gatewayitsol[.]com gatewayrecord[.]com gawecryptoinfosolutions[.]com getinfostarter[.]com incappcloud[.]com infocryptogate[.]com infogatestorage[.]com informationcoindata[.]com informationswitchsystems[.]com infostorageroute[.]com intelligencerepository[.]com itgatestorage[.]com itinfogate[.]com keepitlabgroup[.]com managercodepro[.]com meshgoin[.]com myitappnext[.]com myittechnext[.]com networkgoin[.]com oneinformationcrypto[.]com pdfdirectglobal[.]com pdfsecxcloudroute[.]com po.vatangate[.]com prodefendme[.]com prokeeperit[.]com protectedviews[.]com protectordocumentcenter[.]com realeasyconfiguregateway[.]com realitsolutionprimary[.]com safetydocsgateway[.]com secureglobaltele[.]com serverguarditweb[.]com shielditlabel[.]com shortinfoonline[.]com skycithereforeit[.]com solutionsseccloud[.]com sourcedoorway[.]com sourcedoorways[.]com stateinfospace[.]com storagecryptogate[.]com storagecryptoweb[.]com storageinfogate[.]com storagekeeperinfopro[.]com storagekeeperinfotech[.]com storagerootconnect[.]com storagetruncservices[.]com storagetruncservices[.]com storagewarden[.]com suppdatacent[.]com threatcenterofreaserch[.]com transfer-dns[.]com truncstorage[.]com truncstorage[.]com webgateway[.]ru webgatewayenter[.]com webinterstellar[.]com yourdirectinfospace[.]com yourspaceprotector[.]com BlueCharlie IP Addresses: |
Appendix B — MITRE ATT&CK Techniques
Tactic: Technique | ATT&CK Code |
Reconnaissance: Phishing for Information | T1598 |
Resource Development: Stage Capabilities | T1608 |
Source: Original Post
“An interesting youtube video that may be related to the article above”