Star Blizzard (also tracked as Callisto Group, COLDRIVER, SEABORGIUM, TA446, Blue Charlie, TAG-53, Iron Frontier, and MITRE ATT&CK G1003) is a Russian state-sponsored credential-phishing-focused cluster attributed by formal coordinated multi-government attribution to Federal Security Service (FSB) Centre 18, the FSB Information Security Centre. The attribution at the FSB-Centre level is high- confidence following the December 7, 2023 coordinated attribution event in which the UK Foreign, Commonwealth and Development Office, UK NCSC, US Department of Justice, US Department of the Treasury OFAC, and US Department of State publicly attributed the cluster to FSB Centre 18. The DOJ concurrently unsealed a District of Columbia indictment charging two FSB-affiliated Russian nationals , Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, with conspiracy to commit computer fraud arising from Star Blizzard credential-phishing operations against US, UK, and NATO-allied government, defense, NGO, and academic targets. Treasury OFAC concurrently designated both individuals.
State Department issued Rewards-for-Justice bounties of up to USD 10 million per individual.
UK announced parallel designations and summoned the Russian ambassador. FSB Centre 18 is operationally distinct from FSB Centre 16. Centre 16 is the FSB's signals-intelligence directorate and runs the Turla cyber-espionage cluster and the Dragonfly / Energetic Bear ICS-targeting cluster (both already covered in this corpus as turla.yaml and dragonfly_energetic_bear.yaml respectively). Centre 18 has a substantially different mission focus on credential theft, influence-and-interference operations, and political-target surveillance rather than the technical SIGINT collection of Centre 16. The other major publicly-tracked FSB Centre 18 cluster is Gamaredon / Aqua Blizzard (already covered as gamaredon.yaml, focused on Ukraine collection), which shares the FSB Centre 18 attribution but operates a substantially different victimology, toolkit, and operational tempo than Star Blizzard. Targeting focus is overwhelmingly directed at UK, US, NATO-member, and Ukrainian government, foreign-affairs, defense, parliamentary, NGO, think-tank, academic, journalism, and dissident-community targets. The cluster has demonstrated particular sustained focus on UK parliamentarians and on Russian opposition figures in exile, including academic researchers and journalists who publish on Russian-policy topics. The cluster's targeting of UK academic and think-tank communities is dense and sustained across more than half a decade. Operationally Star Blizzard is distinguished from peer Russian- aligned clusters by being primarily credential-phishing-focused rather than malware-deploying. The cluster does not operate a signature implant family comparable to APT29's NOBELIUM toolkit or Sandworm's wiper portfolio. Instead the cluster operates a highly-disciplined credential-phishing pipeline: detailed open- source-intelligence target research, sustained impersonation of individuals from think tanks and NGOs known to the victim (using ProtonMail and other encrypted-email-service addresses that mirror legitimate names), encrypted-PDF decoy delivery, custom credential-phishing landing pages mirroring legitimate Microsoft, Google, ProtonMail, and other service login pages, AitM (adversary-in-the-middle) proxy kits including EvilGinx2 for session-token theft alongside credential capture, OAuth- application-consent phishing, and post-compromise IMAP mailbox abuse for sustained access and long-dwell surveillance. The cluster has been a consistent early adopter of AitM proxy-kit tradecraft and OAuth-consent-phishing tradecraft among publicly- tracked state-aligned clusters. A defining operational pattern is the cluster's willingness to conduct hack-and-leak operations alongside its more conventional credential-collection mission. The 2019 hack-and-leak operation targeting UK-US bilateral trade-talks documents, leaked via an anonymous online persona during the 2019 UK general election campaign and used to attempt to shape UK political discourse around healthcare-policy elements of UK-US trade negotiations, was retroactively attributed by UK government and Reuters to Star Blizzard / Callisto. The hack-and-leak tradecraft extends the cluster's typical credential-collection mission into active influence operations and is among the most operationally consequential publicly-attributed cluster activities. A handful of operational notes: First, the cluster's vendor-naming proliferation (Star Blizzard / Callisto / Coldriver / SEABORGIUM / TA446 / Blue Charlie / TAG-53) reflects a decade of fragmented pre-consolidation vendor tracking. Modern reporting should default to "Star Blizzard" as the Microsoft-canonical name.
"Callisto" remains the original cluster name and appears in some academic and policy reporting. Second, the cluster is operationally distinct from APT28 (already covered as apt28_fancybear.yaml, GRU Unit 26165 cyber-espionage), from APT29 (already covered as apt29_cozybear.yaml, SVR cyber- espionage), from Sandworm (already covered as sandworm_team.yaml , GRU Unit 74455 sabotage), from Turla (already covered as turla.yaml, FSB Centre 16 cyber-espionage), from Dragonfly (already covered as dragonfly_energetic_bear.yaml, FSB Centre 16 ICS targeting), and from Gamaredon (already covered as gamaredon.yaml, FSB Centre 18 Ukraine collection). The corpus now contains six publicly-tracked Russian state-sponsored clusters across all four major Russian state cyber services (FSB Centre 16, FSB Centre 18, GRU Unit 26165, GRU Unit 74455, SVR), with Star Blizzard being the second Centre 18 cluster. Third, the cluster's credential-phishing-only operational pattern (no signature malware implant family) is unusual among publicly- tracked state-aligned clusters at this tier. The cluster's operational discipline and tradecraft consistency rest on sustained investment in social-engineering and credential- phishing capability rather than on implant-development capability.