HQ/EMEAFind out how we can help your business
The pro-Russian threat group BlueCharlie has reconstructed its infrastructure after researchers disclosed its recent actions. Based on reports, the researchers claimed that the hackers have ties with 94 new domains that started earlier this year.
This detail implies that this threat group is actively modifying its infrastructure to respond to public disclosure about its recent behaviour. BlueCharlie is also known for different names like COLDRIVER and Blue Callisto.
Researchers explained that the threat actors make these transitions since they keep tabs on industry reporting. Moreover, they execute these changes to show high levels of sophistication that could obfuscate their activities and show threat analysts that they are far from catching their acts.
The BlueCharlie cybercriminal group is an alleged affiliate of FSB.
BlueCharlie has connections with Russia’s Federal Security Service since they have a phishing campaign aimed at credential theft by leveraging domains that impersonate the login pages of private sector companies.
The threat actors also have nuclear research labs and NGOs participating in the current geopolitical crisis against Ukraine. Researchers believe that the attacks have been active since 2017.
Furthermore, BlueCharlie may have contributed to Russia’s attempts to disrupt the supply chain operations in Kyiv to aid military backups. The group allegedly collected intelligence about war crime-related evidence to build a counter-narrative on future accusations against Russia.
Earlier this year, a threat analysis identified a potential link between BlueCharlie’s attack infrastructure and a Russian firm that contracts with government entities within the country.
On the other hand, a recent researcher revealed that the group has transferred to a new naming pattern for its domains featuring keywords related to crypto and information technology (IT). The latest domains allegedly part of BlueCharlie’s infrastructure are storagecryptogate[.]com, pdfsecxcloudroute[.]com, directexpressgateway[.]com, and cloudrootstorage[.]com.
Analysis showed that 78 of the 94 domains that came from BlueCharlie were registered through NameCheap. Lastly, the other domain registrars utilised Porkbun and Regway.
Organisations should use anti-phishing MFA solutions to mitigate threats from APT groups like BlueCharlie. Finally, experts suggest disabling macros by default in MS Office and applying password reset to prevent such attacks.
