Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Russian Hacking Group Shakes Up Its Infrastructure

'BlueCharlie' Favors a New Domain Registrar and URL Structure
Russian Hacking Group Shakes Up Its Infrastructure
Image: Shutterstock

A Russia-linked hacking group is shifting its online infrastructure likely in response to public disclosures about its activity.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Recorded Future's Insikt Group traced over the last five months the revamped infrastructure of a group it tracks as "BlueCharlie," which overlaps with activity attributed to the threat actor variously known as Seaborgium, Callisto/Calisto and Coldriver. A recent assessment of the group by the British cybersecurity agency stopped short of connecting the threat actor with the Kremlin but said that its targets have included "academia, defence, governmental organisations, NGOs, think-tanks, as well as politicians, journalists and activists" (see: Russian Hackers Suspected of Accessing Email of British MP).

In March 2022, Google's Threat Analysis Group spotted the threat actor launching credential phishing campaigns targeting several U.S.-based nongovernmental organizations and think tanks, the military of a Balkans country and a Ukraine-based defense contractor.

The group relies heavily on phishing to obtain account credentials, including targeted spear-phishing attacks. Its ability to adapt to public reporting about its activity suggests it will persist with "operations for the foreseeable future" and continue to evolve its tactics, Recorded Future warned.

The researchers said BlueCharlie now favors a different domain registrar, shifting the majority of its business from Porkbun to NameCheap. It has stopped registering domain names made up of two terms separated by a hyphen, such as cloud-safetyonline, and has given up trailing URl structures in which it emulated the IT infrastructure of a target. That shift has made it harder to identify victims targeted by the group.

Some things haven't changed. The researchers said that the group "likely uses open sources to conduct extensive reconnaissance in advance of intrusion operations in order to improve the likelihood that its spear-phishing operations succeed."

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.