COLDRIVER [1] [2] [3] [4], also known as Star Blizzard or Blue Callisto [4], is a threat actor associated with Russia’s Federal Security Service (FSB) [1] [2] [3]. Since 2017, they have been involved in credential theft activities, continuously enhancing their detection evasion capabilities.


COLDRIVER has been employing various tactics to carry out their activities. One of their strategies involves setting up lookalike domains to impersonate login pages of targeted companies [3]. In August 2023, 94 new domains were discovered as part of their attack infrastructure [1] [2] [3] [4], with a specific focus on information technology and cryptocurrency [4]. To further their campaigns, COLDRIVER has incorporated email marketing services like HubSpot and MailerLite [1]. They have also improved their domain generation algorithm [4], utilizing a more randomized list of words [1] [2] [4]. To avoid detection, the threat actor utilizes server-side scripts and a domain name service (DNS) provider to resolve their actor-registered domains [5]. Their primary targets are cloud-based email providers [2] [4], with a particular emphasis on email credential theft. COLDRIVER often employs dedicated VPSs for hosting their infrastructure and frequently engages in spear-phishing activities [5]. Notably, the UK has sanctioned two members of Star Blizzard for their involvement in spear-phishing campaigns targeting high-profile individuals and entities [3].


The activities of COLDRIVER have significant implications for cybersecurity. Their evolving tactics and techniques pose a threat to organizations, particularly those utilizing cloud-based email services. It is crucial for companies to remain vigilant and implement robust security measures to mitigate the risk of credential theft. Additionally, the sanctions imposed by the UK demonstrate the international recognition of the threat posed by COLDRIVER and the need for coordinated efforts to combat cyber threats. Understanding the psychology of cyber attackers and social engineering [4], as explored in the upcoming webinar [4], can further aid in developing effective countermeasures against such threat actors.