G1033: Star Blizzard
Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.[1][2][3][4]
Analyst context for executives and security teams
Star Blizzard matters because ATT&CK describes it as a Russia-origin cyber espionage and influence group associated with persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, especially the US and UK. For leaders, the practical issue is not just malware: the relationship set points to identity compromise, email collection, session-cookie abuse, impersonation, and infrastructure preparation. That makes cloud email, identity controls, executive/VIP protection, and phishing response readiness central to resilience.
Executive priority
Prioritize this as an identity and communications-risk scenario. Executives should ask whether the organization can quickly prove who accessed cloud email, whether suspicious forwarding rules or linked devices would be noticed, whether session theft can be investigated, and whether high-risk staff have tailored anti-phishing support. The business value is stronger incident decision-making: faster containment of compromised accounts, better evidence for audit and regulatory inquiries, and reduced risk of sensitive email or messaging exposure.
Technical view
ATT&CK does not provide a detection section for Star Blizzard, so validation should be built from the related behaviors: spearphishing attachments and links, impersonation, credential or session abuse, valid-account use, remote email collection, email forwarding rules, and use of Spica, a Windows custom backdoor. SOC and IR teams should test whether they can correlate pre-compromise indicators such as suspicious domains, email accounts, and social personas with post-compromise identity events such as anomalous cloud email access, new forwarding rules, unusual mailbox searches, impossible or atypical sign-ins, session reuse, and endpoint execution from malicious files or JavaScript.
Likely telemetry
- Email security logs for inbound spearphishing links, attachments, sender impersonation, and user reporting outcomes
- Identity provider and SaaS authentication logs, including successful logins, MFA events where available, session creation, and anomalous geolocation or device context
- Cloud email audit logs for mailbox access, search activity, OAuth or session activity where available, and remote email collection patterns
- Mailbox rule and forwarding configuration changes, especially external forwarding or hidden/unusual rules
- Browser, SaaS, and identity telemetry relevant to web session cookie theft or reuse, where collected
Detection direction
- Do not rely on a single phishing alert; tune for chains that connect impersonation, attachment/link delivery, credential submission or session anomaly, and subsequent mailbox access.
- Validate that cloud email audit logging captures forwarding rule creation, external forwarding, mailbox access, and unusual collection behavior; these are key relationship-driven behaviors for this group object.
- Review false positives carefully for researchers, executives, policy staff, and external-affairs teams who may legitimately interact with unfamiliar contacts, NGOs, think tanks, or academic domains.
- Hunt for valid-account activity that looks normal in isolation but is unusual by user, device, location, time, mailbox volume, or session characteristics.
- If Windows endpoints are in scope, confirm visibility for malicious file execution, script execution, and indicators associated with the related Spica software; ATT&CK lists Spica as Windows-related.
Mitigation priorities
- Start with identity hardening for high-risk users: strong MFA, conditional access principles, rapid account disablement/reset processes, and session revocation procedures where supported.
- Harden cloud email: restrict or monitor external forwarding, alert on suspicious mailbox rules, preserve mailbox audit logs, and document evidence collection steps for IR.
- Improve phishing resilience with targeted user reporting, executive/VIP workflows, and controls for suspicious attachments, links, impersonation, and newly registered or lookalike domains.
- Prepare IR playbooks for account compromise that include mailbox review, forwarding-rule removal, session/token revocation, endpoint triage for malicious files or scripts, and communications handling.
- Reduce reconnaissance exposure where feasible by reviewing public identity information for sensitive roles and by briefing likely targets on impersonation and social-media/email persona risks.
Analyst notes and limits
The supplied ATT&CK object is a group profile, not a complete intrusion playbook. The strongest decision value comes from the relationships: Star Blizzard is linked to phishing for information, spearphishing, impersonation, valid-account use, web session cookies, remote email collection, email forwarding rules, resource development, and Spica. These relationships point defenders toward identity, SaaS email, endpoint execution, and pre-attack infrastructure visibility rather than only perimeter blocking.
Official detection text is not provided, and the group object itself lists no platforms or tactics. Platform references above are derived only from related techniques/software, so local applicability depends on the organization’s actual identity provider, email platform, endpoint estate, SaaS usage, mobile/messaging apps, and logging configuration. No claim is made that any specific organization is targeted or that existing controls will detect this behavior.
Star Blizzard
Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1684.001 | Impersonation Sub-technique | Star Blizzard has registered impersonation email accounts to spoof experts in a particular field or individuals and organizations affiliated with the intended target.CitationMicrosoft Star Blizzard August 2022CitationCISA Star Blizzard Advisory December 2023CitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1583.001 | Domains Sub-technique | Star Blizzard has registered domains using randomized words and with names resembling legitimate organizations.CitationCISA Star Blizzard Advisory December 2023CitationStarBlizzard |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | Star Blizzard has remotely accessed victims' email accounts to steal messages and attachments.CitationCISA Star Blizzard Advisory December 2023 |
| Enterprise | T1550.004 | Web Session Cookie Sub-technique | Star Blizzard has bypassed multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx.CitationCISA Star Blizzard Advisory December 2023 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Star Blizzard has lured targets into opening malicious .pdf files to deliver malware.CitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | Star Blizzard has uploaded malicious payloads to cloud storage sites.CitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1539 | Steal Web Session Cookie | Star Blizzard has used EvilGinx to steal the session cookies of victims directed to phishing domains.CitationCISA Star Blizzard Advisory December 2023 |
| Enterprise | T1589 | Gather Victim Identity Information | Star Blizzard has identified ways to engage targets by researching potential victims' interests and social or professional contacts.CitationCISA Star Blizzard Advisory December 2023 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | Star Blizzard has registered impersonation email accounts to spoof experts in a particular field or individuals and organizations affiliated with the intended target.CitationMicrosoft Star Blizzard August 2022CitationCISA Star Blizzard Advisory December 2023CitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Star Blizzard has sent emails with malicious .pdf files to spread malware.CitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1598.002 | Spearphishing Attachment Sub-technique | Star Blizzard has sent emails to establish rapport with targets eventually sending messages with attachments containing links to credential-stealing sites.CitationMicrosoft Star Blizzard August 2022CitationCISA Star Blizzard Advisory December 2023CitationStarBlizzardCitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | Star Blizzard has sent emails to establish rapport with targets eventually sending messages with links to credential-stealing sites.CitationMicrosoft Star Blizzard August 2022CitationCISA Star Blizzard Advisory December 2023CitationStarBlizzardCitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1588.002 | Tool Sub-technique | Star Blizzard has incorporated the open-source EvilGinx framework into their spearphishing activity.CitationCISA Star Blizzard Advisory December 2023CitationStarBlizzard |
| Enterprise | T1583 | Acquire Infrastructure | Star Blizzard has used HubSpot and MailerLite marketing platform services to hide the true sender of phishing emails.CitationStarBlizzard |
| Enterprise | T1114.003 | Email Forwarding Rule Sub-technique | Star Blizzard has abused email forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access after compromised credentials are reset.CitationMicrosoft Star Blizzard August 2022CitationCISA Star Blizzard Advisory December 2023 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | Star Blizzard has established fraudulent profiles on professional networking sites to conduct reconnaissance.CitationMicrosoft Star Blizzard August 2022CitationCISA Star Blizzard Advisory December 2023 |
| Enterprise | T1078 | Valid Accounts | Star Blizzard has used stolen credentials to sign into victim email accounts.CitationMicrosoft Star Blizzard August 2022CitationCISA Star Blizzard Advisory December 2023 |
| Enterprise | T1586.002 | Email Accounts Sub-technique | Star Blizzard has used compromised email accounts to conduct spearphishing against contacts of the original victim.CitationCISA Star Blizzard Advisory December 2023 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Star Blizzard has used JavaScript to redirect victim traffic from an adversary controlled server to a server hosting the Evilginx phishing framework.CitationStarBlizzard |
| Enterprise | T1593 | Search Open Websites/Domains | Star Blizzard has used open-source research to identify information about victims to use in targeting.CitationMicrosoft Star Blizzard August 2022CitationCISA Star Blizzard Advisory December 2023 |
Groups, software, and campaigns
S1140: Spica
Spica is a custom backdoor written in Rust that has been used by Star Blizzard since at least 2023.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 05ac3aa0f07c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Star Blizzard August 2022
Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM’s ongoing phishing operations. Retrieved June 13, 2024.
Open source URL -
[2]
CISA Star Blizzard Advisory December 2023
CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.
Open source URL -
[3]
StarBlizzard
Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.
Open source URL -
[4]
Google TAG COLDRIVER January 2024
Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
Open source URL -
[5]
COLDRIVER
(Citation: Google TAG COLDRIVER January 2024)
-
[6]
Callisto Group
(Citation: CISA Star Blizzard Advisory December 2023)
-
[7]
SEABORGIUM
(Citation: Microsoft Star Blizzard August 2022)
-
[8]
TA446
(Citation: CISA Star Blizzard Advisory December 2023)
-
[9]
mitre-attack G1033Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.