‘BlueCharlie’ Favors a New Domain Registrar and URL Structure
A Russia-linked hacking group is shifting its online infrastructure likely in response to public disclosures about its activity.
Recorded Future’s Insikt Group traced over the last five months the revamped infrastructure of a group it tracks as “BlueCharlie,” which overlaps with activity attributed to the threat actor variously known as Seaborgium, Callisto/Calisto and Coldriver. A recent assessment of the group by the British cybersecurity agency stopped short of connecting the threat actor with the Kremlin but said that its targets have included ” academia, defence, governmental organisations, NGOs, think-tanks, as well as politicians, journalists and activists” (see: Russian Hackers Suspected of Accessing Email of British MP).
In March 2022, Google’s Threat Analysis Group spotted the threat actor launching credential phishing campaigns targeting several U.S.-based nongovernmental organizations and think tanks, the military of a Balkans country and a Ukraine-based defense contractor.
The group relies heavily on phishing to obtain account credentials, including targeted spear-phishing attacks. Its ability to adapt to public reporting about its activity suggests it will persist with “operations for the foreseeable future” and continue to evolve its tactics, Recorded Future warned.
The researchers said BlueCharlie now favors a different domain registrar, shifting the majority of its business from Porkbun to NameCheap. It has stopped registering domain names made up of two terms separated by a hyphen, such as
cloud-safetyonline, and has given up trailing URl structures in which it emulated the IT infrastructure of a target. That shift has made it harder to identify victims targeted by the group.
Some things haven’t changed. The researchers said that the group “likely uses open sources to conduct extensive reconnaissance in advance of intrusion operations in order to improve the likelihood that its spear-phishing operations succeed.”