Pierluigi Paganini
January 26, 2023
The U.K. National Cyber Security Centre (NCSC) is warning of targeted phishing attacks conducted by threat actors based in Russia and Iran. The are increasingly targeting organizations and individuals.
The UK agency reported ongoing spear-phishing campaigns carried out by Russia-based group SEABORGIUM and Iran-based group TA453 to gather intelligence on the victims.
SEABORGIUM has been active since at least 2017, its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.
The SEABORGIUM group primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education.
The group also targets former intelligence officials, experts in Russian affairs, and Russian citizens abroad.
SEABORGIUM’s campaigns begin with a reconnaissance activity of target individuals, with a focus on identifying their contacts on social networks or the sphere of influence.
TA453 is a nation-state actor that overlaps with activity tracked as Charming Kitten, PHOSPHORUS, and APT42.
Throughout 2022, both groups targeted sectors included academia, defence, governmental organisations, NGOs, think-tanks, as well as politicians, journalists and activists.
The NCSC shared technical details about the TTPs (techniques, tactics, and procedures) used by the attackers, they also provide recommendations to mitigate the threat.
“Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, SEABORGIUM and TA453 identify hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts. [T1589; T1593].” reads the alert published by the UK Agency.
The group also used fake social media or networking profiles that impersonate respected experts, and used supposed conference or event invitations as lures. In some attacks, the threat actors also used false approaches from journalists.
The two APT groups use webmail addresses from different providers (including Outlook, Gmail, and Yahoo), and impersonate known contacts of the target or prominent names in the target’s field of interest or sector.
The attackers have also created malicious domains resembling legitimate organisations.
In August, the Microsoft Threat Intelligence Center (MSTIC) announced it has disrupted activity by SEABORGIUM (aka ColdRiver, TA446), but recent events demonstrate that the group recovered its operations.
Microsoft has disrupted activity by SEABORGIUM, a Russia-based actor launching persistent phishing, credential and data theft, intrusions, and hack-and-leak campaigns tied to espionage. More details + TTPs in this MSTIC blog: https://t.co/nVoF8GxrFQ
— Microsoft Threat Intelligence (@MsftSecIntel) August 15, 2022
Below are the recommendations provided by the agency in the advisory:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, APT)
[adrotate banner=”5″]
[adrotate banner=”13″]
