New analysis from Microsoft Menace Intelligence Heart (MSTIC) sheds gentle on a cyberespionage menace actor generally known as Seaborgium.
Who’s Seaborgium?
Seaborgium is a menace actor that originates from Russia, tracked by Microsoft since 2017. This can be a extremely persistent menace actor who compromises corporations and people of curiosity. In 2022, they’ve focused over 30 organizations along with private accounts of people. Based mostly on technical data and ways, the menace actor overlaps with Callisto Group, TA446 and ColdRiver. The Safety Service of Ukraine related the menace actor with the Gamaredon group, nevertheless Microsoft’s researchers haven’t noticed any hyperlink to help this affiliation.
Targets for Seaborgium
The first goal of this menace actor is at the moment NATO international locations, notably the U.Ok. and the U.S. Occasional focusing on of different international locations has additionally occurred, together with international locations within the Baltics, the Nordics and Japanese Europe. Of explicit curiosity is the focusing on of Ukraine within the months previous to the invasion by Russia, and organizations taking part in a task within the struggle in Ukraine. Microsoft states that Ukraine is probably going not a major goal for Seaborgium, and that assaults aimed toward this nation are most likely a reactive focus space for the actor.
Seaborgium’s targets are protection and intelligence consulting corporations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), suppose tanks and better schooling, in accordance with Microsoft. As well as, 30% of Seaborgium’s exercise targets Microsoft shopper e mail accounts, former intelligence officers, consultants in Russian affairs and Russian residents overseas.
SEE: Cell gadget safety coverage (TechRepublic Premium)
Modus operandi
Researchers from MSTIC noticed constant methodology with solely slight modifications within the social engineering strategy that Seaborgium makes use of.
For starters, the menace actor works at understanding its goal—it’s the reconnaissance section of the assault. The purpose is to establish reliable contacts within the goal’s distant social community or sphere of affect. The attacker appears to make use of open-source intelligence (OSINT), private directories and social media platforms to attain that process. MSTIC reveals, in partnership with LinkedIn, that the menace actor has created pretend LinkedIn profiles to conduct reconnaissance of staff from particular organizations of curiosity (Determine A).
Determine A
The recognized accounts created by the menace actor have been terminated by LinkedIn.
Seaborgium additionally creates new e mail addresses at numerous e mail suppliers, setting it to match reliable aliases or names of impersonated people. On one event, the researchers have seen the menace actor reuse an account that had not been utilized in a yr, to focus on an identical trade. This means a well-organized menace actor, most likely monitoring and reusing accounts when related.
As soon as all this configuration is completed, the menace actor reaches the goal with a benign e mail message referencing a non-existing attachment which ought to have contained a subject of curiosity for the goal (Determine B).
Determine B
In different circumstances, the actor adopts one other strategy—extra direct—and sends malicious content material (Determine C).
Determine C
As for the malicious content material, it may be so simple as a URL resulting in a phishing web page, generally obfuscated utilizing URL shorteners, or it may be an connected PDF file containing a URL resulting in a phishing web page. Lastly, the attacker may also use PDF information hosted on OneDrive, as soon as once more containing a hyperlink to a phishing web page.
The touchdown phishing web page is hosted on an attacker-controlled server internet hosting a phishing framework, most frequently Evilginx. That framework prompts the goal for authentication, mirroring the sign-in web page for a reliable supplier, permitting the attacker to seize the goal’s credentials. As soon as these credentials are captured, the person is redirected to an internet site or doc to finish the interplay.
Seaborgium does use these credentials to exfiltrate the goal’s emails and file attachments immediately from their mailbox. In a couple of circumstances, the attacker has arrange forwarding guidelines to an actor-controlled e mail handle. Amongst the emails of curiosity for the attacker are mailing-list information from personal and delicate teams, akin to these utilized by former intelligence officers.
SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)
Greater than cyberespionage
Whereas Seaborgium’s essential purpose is cyberespionage, the group has sporadically been concerned in data operations, in accordance with Microsoft.
In Might 2021, MSTIC noticed the menace actor shared paperwork stolen from a political group within the U.Ok. The paperwork have been uploaded to a public PDF file-sharing web site, whereas the menace actor amplified the paperwork through their social media accounts. But additional amplification was minimal.
One yr later, an data operation was attributed by Google’s Menace Evaluation Group (TAG) to ColdRiver/SeaBorgium, as confirmed by Microsoft. The menace actor leaked emails and paperwork from 2018 to 2022, which have been allegedly stolen from e mail accounts belonging to high-level proponents of Brexit.
The best way to shield from this menace?
Typical operations from this menace actor hardly fluctuate by means of time and are very centered on emails. Due to this fact, e mail filtering must be set, and e mail safety options must be deployed.
Filtering options must also be enabled immediately within the browser to keep away from accessing a recognized phishing web page.
Multi-factor authentication (MFA) must also be employed, if potential, not counting on telephony, as attackers may be capable to bypass it. It ought to moderately use safer implementations akin to FIDO tokens or authenticator functions.
Customers must also fastidiously examine emails they obtain and examine if they arrive from the same old e mail handle of their contact. Ought to it come from a brand new one, they need to attain the contact through one other manner, like a cellphone name, to examine whether or not it actually got here from their contact.
Disclosure: I work for Development Micro, however the views expressed on this article are mine.
