BlueCharlie APT Infrastructure Overhaul

Researchers have identified the Russia-linked APT group BlueCharlie was changing its infrastructure in response to recent reports on its activity.

The APT group, also called Blue Callisto, Callisto, COLDRIVER, and Star Blizzard, TA446, was active since at least 2017. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft and targets NATO countries, the campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.

BlueCharlie focuses on the operations of defense and intelligence consulting companies, non-governmental organizations, and intergovernmental organizations. The group also targets former intelligence officials, experts in Russian affairs, and Russian citizens abroad.

Recently, it has been observed that BlueCharlie is building a new infrastructure to launch phishing campaigns and/or credential harvesting. The new attack infrastructure was created starting in March 2023 and consists of 94 new domains. Since at least December 17, 2022, the group has used a new naming pattern for its domains containing keywords related to information technology and cryptocurrency.

• cloudrootstorage[.]com.
• directexpressgateway[.]com.
• pdfsecxcloudroute[.]com.
• storagecryptogate[.]com.

The majority of them have been registered by BlueCharlie with the Porkbun registrar, followed by NameCheap, Regway, and REGRU. Seventy-eight of the 94 new domains have been registered using NameCheap.

Organizations need to implement MFA, enforce a frequent password reset policy, disable all macros by default in Microsoft Office products, train employees, contractors, and third-party vendors to protect against phishing, spearphishing, and social engineering attacks, configure and maintain proper defense in depth strategy.

Detailed IOC will be found in the official link

Indicators of Compromise

• bittechllc[.]net
• centeritdefcity[.]com
• checkscreenit[.]com
• cloudcpanelhost[.]com
• clouddefsystems[.]com
• cloudrootstorage[.]com
• commandentrance[.]com
• computertechdirectsystems[.]com
• computingtechstudio[.]com
• configuregatewayglobal[.]com
• controlgatestorage[.]com
• controlsstoragedirect[.]com
• controlstoragesolutions[.]com
• cryptdatagate[.]com
• cryptoanalyzetech[.]com
• cryptotechdirect[.]com
• cryptothistech[.]com
• datagatellc[.]com
• datagatewayglobal[.]com
• datastoragecrypto[.]com
• definform[.]com
• deskactivitygm[.]com
• directdocumentgate[.]com
• directdocumentgateway[.]com
• directexpressgateway[.]com
• directstoragegate[.]com
• docsinfogate[.]com
• documentdirectllc[.]com
• documentdirectto[.]com
• entrywaycenter[.]com
• gateblurbrepository[.]com
• gatecryptospace[.]com
• gateinfosecure[.]com
• gatestoragetech[.]com
• gatewaydocsint[.]com
• gatewayitsol[.]com
• gatewayrecord[.]com
• gawecryptoinfosolutions[.]com
• getinfostarter[.]com
• incappcloud[.]com
• infocryptogate[.]com
• infogatestorage[.]com
• informationcoindata[.]com
• informationswitchsystems[.]com
• infostorageroute[.]com
• intelligencerepository[.]com
• itgatestorage[.]com