In an effort to avoid detection, the Russian espionage group known as “BlueCharlie” has replaced its old infrastructure with a network of 94 new domains. BlueCharlie, also known as “Calisto,” “COLDRIVER,” “SEABORGIUM,” and “StarBlizzard,” has been active since at least 2017 and is associated with other threat actor groups. Its targets have included government organizations, defense entities, educational institutions, political sectors, non-governmental organizations (NGOs), think tanks, and journalists. While its primary focus is espionage, the group has also been involved in hack-and-leak operations.
At the beginning of this year, researchers started exposing BlueCharlie one by one, providing insights into its campaigns, its impact on the Russia-Ukraine war, breaking down its infrastructure, and even identifying specific individuals behind its operations.
According to Recorded Future, in its most recent campaign, BlueCharlie completely revamped its infrastructure and created nearly 100 new domains for credential harvesting and subsequent espionage attacks.
In previous campaigns, BlueCharlie utilized a tool called Evilginx to assist in naming its phishing domains. This tool allowed them to create URLs that appeared legitimate to their victims. However, in their latest activities, the group adopted a different approach. Instead of using specific URL structures or fully emulated domains, BlueCharlie combined two seemingly random IT-related terms with a hyphen to name their domains.
The Recorded Future analyst suggests that the group made these changes to decrease the chances of falling for their scams, indicating that the alterations were made for the sake of change itself.
It is not uncommon for threat actors to modify their tactics, techniques, and procedures (TTPs) when their previous methods are exposed. Russian state-sponsored groups like BlueBravo and BlueDelta have a history of rapidly evolving their TTPs. In the case of BlueCharlie, it is likely that the group adjusted its TTPs in response to exposure. This reactionary behavior is observed not only in BlueCharlie but also in other advanced persistent threat (APT) groups. To combat the ever-changing tactics of APT groups, organizations are advised to practice general cyber hygiene, including employee training, disabling macros, and utilizing FIDO2-compliant MFA tokens.
The authors of the report emphasize that BlueCharlie has demonstrated its ability to adapt and evolve over time. They assert that the group will likely continue to change its TTPs based on past experiences. This highlights the importance of remaining vigilant and proactive in defending against evolving APT tactics.
In conclusion, the Russian espionage group BlueCharlie has replaced its old infrastructure with a network of 94 new domains in an attempt to evade detection. This group, which has been active since at least 2017, has targeted various sectors and organizations for espionage and hack-and-leak operations. Researchers have been gradually exposing BlueCharlie’s activities, leading to the latest campaign in which the group completely revamped its infrastructure. The changes in their tactics are believed to be a response to previous exposure and an attempt to decrease the chances of being detected. Organizations are advised to maintain cyber hygiene practices to defend against evolving APT tactics.