Russian and Iranian cybercrime gangs are targeting prominent figures in the UK, the National Cyber Security Centre (NCSC) says. NGOs and think tanks should be on heightened alert for spear-phishing attacks endeavouring to mine employees for sensitive information, the NCSC has warned
Two criminal groups, Seaborgium and TA453, have been identified by the NCSC. They operate in a similar way but are not thought to be collaborating, according to an advisory released today.
Spear phishing attacks, sometimes called ‘big game hunting’ see specific individuals targeted using information known to be of interest to the target to dupe them into clicking on malicious links.
“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems,” said Paul Chichester, NCSC director of operations.
“We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online.”
Cyber-espionage gangs target UK, NCSC warns
Politicians, journalists and activists remain primary targets for the group, the NCSC says. But the criminals are expanding their net to take in academics and those who work in the defence industry, as well as employees of government organisations, NGOs and think tanks.
Seaborgium, believed to be operating from Russia and TA453, from Iran, display the activity of typical spear-phishing campaigns, explains the advisory. “Using open source resources to conduct reconnaissance, including social media and professional networking platforms, Seaborgium and TA453 identify hooks to engage their target,” it says.
They will also create fake social media profiles impersonating respected experts in the field of a target, or fabricate conferences and approaches from journalists, to hoodwink a person of interest into relinquishing their trust.
This is all directed towards encouraging the target to click on one single malicious link, whereby their credentials can be stolen and their online accounts mined for intelligence and to identify further targets.
How do the gangs operate?
The criminals will often begin by establishing benign contact on a topic they hope will engage their targets, continues the advisory. “There is often some correspondence between attacker and target, sometimes over an extended period, as an attacker builds a rapport,” it says.
This builds towards deploying a malicious link, to be clicked on by the specific person of interest. Often the links are disguised as Zoom invitation URLs. In one case, an attacker set up a Zoom call with their victim in order to post the link in the chat bar during the call.
Once clicked, the link will lead the victim to a server controlled by the criminal gang that mirrors the sign-in page for a legitimate service. “Any credentials entered at this point are now compromised,” states the report.
“The Seaborgium and TA453 actors then use the stolen credentials to log in to targets’ email accounts [T1078], from where they are known to access and steal emails and attachments from the victim’s inbox [T1114.002],” the NCSC says. “They have also set up mail-forwarding rules, giving them ongoing visibility of victim correspondence.”
The criminals have also used their access to a victim’s email account to access mailing list data and victim’s contact lists, in order to uncover new targets.
Where do the gangs come from?
Seaborgium, also known as Callisto, Cold River and TA446, primarily focuses on defence and intelligence consulting companies, as well as intergovernmental organisations and think tanks. The group hit the headlines last year targeting Microsoft employees, after leaking emails it claimed were from leading pro-Brexit figures, like the former head of MI6 Richard Dearlove.
The gang also targeted three nuclear research laboratories in the United States last summer, reports Reuters. It has been active since at least 2017.
TA453, nicknamed Charming Kitten, has been active since at least late 2020. It appears to have a more diverse target pool than Seaborgium, states a report by security company Proofpoint. “Outlier campaigns have targeted medical researchers, an aerospace engineer, a realtor and travel agencies, among others,” it reads.
The gang has also been known to employ unorthodox tactics. In 2021 TA453 made headlines for masquerading as a Liverpudlian aerobics instructor in an effort to breach a US defence company.
“Using the social media persona ‘Marcella Flores’, TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defence contractor,” states another report by Proofpoint.
Read more: How French cybercriminals stole $30m from banks
