Threat Actor Profile
Description
Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard)(Citation: Google TAG COLDRIVER January 2024)
Confidence Score
Known Aliases
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (19)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Star Blizzard',
'SEABORGIUM',
'Callisto Group',
'TA446',
'COLDRIVER'],
'created': '2024-06-14T18:17:18.727Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Star Blizzard](https://attack.mitre.org/groups/G1033) is a '
'cyber espionage and influence group originating in Russia '
'that has been active since at least 2019. [Star '
'Blizzard](https://attack.mitre.org/groups/G1033) campaigns '
'align closely with Russian state interests and have included '
'persistent phishing and credential theft against academic, '
'defense, government, NGO, and think tank organizations in '
'NATO countries, particularly the US and the UK.(Citation: '
'Microsoft Star Blizzard August 2022)(Citation: CISA Star '
'Blizzard Advisory December 2023)(Citation: '
'StarBlizzard)(Citation: Google TAG COLDRIVER January 2024)\n',
'external_references': [{'external_id': 'G1033',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G1033'},
{'description': '(Citation: CISA Star Blizzard '
'Advisory December 2023)',
'source_name': 'Callisto Group'},
{'description': '(Citation: CISA Star Blizzard '
'Advisory December 2023)',
'source_name': 'TA446'},
{'description': '(Citation: Google TAG COLDRIVER '
'January 2024)',
'source_name': 'COLDRIVER'},
{'description': '(Citation: Microsoft Star Blizzard '
'August 2022)',
'source_name': 'SEABORGIUM'},
{'description': 'CISA, et al. (2023, December 7). '
'Russian FSB Cyber Actor Star '
'Blizzard Continues Worldwide '
'Spear-phishing Campaigns. Retrieved '
'June 13, 2024.',
'source_name': 'CISA Star Blizzard Advisory December '
'2023',
'url': 'https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a'},
{'description': 'Microsoft Threat Intelligence. '
'(2022, August 15). Disrupting '
'SEABORGIUM’s ongoing phishing '
'operations. Retrieved June 13, 2024.',
'source_name': 'Microsoft Star Blizzard August 2022',
'url': 'https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/'},
{'description': 'Microsoft Threat Intelligence. '
'(2023, December 7). Star Blizzard '
'increases sophistication and evasion '
'in ongoing attacks. Retrieved '
'February 13, 2024.',
'source_name': 'StarBlizzard',
'url': 'https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/'},
{'description': 'Shields, W. (2024, January 18). '
'Russian threat group COLDRIVER '
'expands its targeting of Western '
'officials to include the use of '
'malware. Retrieved June 13, 2024.',
'source_name': 'Google TAG COLDRIVER January 2024',
'url': 'https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/'}],
'id': 'intrusion-set--9b36c218-4d80-4ec6-a68d-cc2886bbe410',
'modified': '2025-10-22T22:12:56.172Z',
'name': 'Star Blizzard',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Aung Kyaw Min Naing, @Nolan'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack', 'mobile-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '2.0'}