The U.K. National Cyber Security Centre (NCSC) warns of a surge in the number of attacks from Russian and Iranian nation-state actors.
The U.K. National Cyber Security Centre (NCSC) is warning of targeted phishing attacks conducted by threat actors based in Russia and Iran. The are increasingly targeting organizations and individuals.
SEABORGIUM has been active since at least 2017, its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.
The SEABORGIUM group primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education.
The group also targets former intelligence officials, experts in Russian affairs, and Russian citizens abroad.
SEABORGIUM’s campaigns begin with a reconnaissance activity of target individuals, with a focus on identifying their contacts on social networks or the sphere of influence.
Throughout 2022, both groups targeted sectors included academia, defence, governmental organisations, NGOs, think-tanks, as well as politicians, journalists and activists.
The NCSC shared technical details about the TTPs (techniques, tactics, and procedures) used by the attackers, they also provide recommendations to mitigate the threat.
“Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, SEABORGIUM and TA453 identify hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts. [T1589; T1593].” reads the alert published by the UK Agency.
The group also used fake social media or networking profiles that impersonate respected experts, and used supposed conference or event invitations as lures. In some attacks, the threat actors also used false approaches from journalists.
The two APT groups use webmail addresses from different providers (including Outlook, Gmail, and Yahoo), and impersonate known contacts of the target or prominent names in the target’s field of interest or sector.
The attackers have also created malicious domains resembling legitimate organisations.
In August, the Microsoft Threat Intelligence Center (MSTIC) announced it has disrupted activity by SEABORGIUM (aka ColdRiver, TA446), but recent events demonstrate that the group recovered its operations.
Below are the recommendations provided by the agency in the advisory:
- Use strong and separate passwords for your email account
- Turn on multi-factor authentication (also known as 2-step verification, or 2SV)
- Protect your devices and networks by keeping them up to date
- Exercise vigilance
- Enable your email providers’ automated email scanning features
- Disable mail-forwarding
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, APT)