View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 26, 2023updated 27 Jan 2023 11:28am

Russian and Iranian cybercrime gangs targeting UK with spear-phishing, NCSC warns

Sophisticated campaigns are being launched against UK targets with the goal of making victims click malicious links.

By Claudia Glover

Russian and Iranian cybercrime gangs are targeting prominent figures in the UK, the National Cyber Security Centre (NCSC) says. NGOs and think tanks should be on heightened alert for spear-phishing attacks endeavouring to mine employees for sensitive information, the NCSC has warned

Russian and Iranian cybercrime gangs target UK. (Photo by Ricky of the World/Shutterstock)

Two criminal groups, Seaborgium and TA453, have been identified by the NCSC. They operate in a similar way but are not thought to be collaborating, according to an advisory released today.

Spear phishing attacks, sometimes called ‘big game hunting’ see specific individuals targeted using information known to be of interest to the target to dupe them into clicking on malicious links. 

“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems,” said Paul Chichester, NCSC director of operations.

“We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online.”

Cyber-espionage gangs target UK, NCSC warns

Politicians, journalists and activists remain primary targets for the group, the NCSC says. But the criminals are expanding their net to take in academics and those who work in the defence industry, as well as employees of government organisations, NGOs and think tanks.

Seaborgium, believed to be operating from Russia and TA453, from Iran, display the activity of typical spear-phishing campaigns, explains the advisory. “Using open source resources to conduct reconnaissance, including social media and professional networking platforms, Seaborgium and TA453 identify hooks to engage their target,” it says.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

They will also create fake social media profiles impersonating respected experts in the field of a target, or fabricate conferences and approaches from journalists, to hoodwink a person of interest into relinquishing their trust.

This is all directed towards encouraging the target to click on one single malicious link, whereby their credentials can be stolen and their online accounts mined for intelligence and to identify further targets.

How do the gangs operate?

The criminals will often begin by establishing benign contact on a topic they hope will engage their targets, continues the advisory. “There is often some correspondence between attacker and target, sometimes over an extended period, as an attacker builds a rapport,” it says.

This builds towards deploying a malicious link, to be clicked on by the specific person of interest. Often the links are disguised as Zoom invitation URLs. In one case, an attacker set up a Zoom call with their victim in order to post the link in the chat bar during the call. 

Once clicked, the link will lead the victim to a server controlled by the criminal gang that mirrors the sign-in page for a legitimate service. “Any credentials entered at this point are now compromised,” states the report.

“The Seaborgium and TA453 actors then use the stolen credentials to log in to targets’ email accounts [T1078], from where they are known to access and steal emails and attachments from the victim’s inbox [T1114.002],” the NCSC says. “They have also set up mail-forwarding rules, giving them ongoing visibility of victim correspondence.” 

The criminals have also used their access to a victim’s email account to access mailing list data and victim’s contact lists, in order to uncover new targets. 

Where do the gangs come from?

Seaborgium, also known as Callisto, Cold River and TA446, primarily focuses on defence and intelligence consulting companies, as well as intergovernmental organisations and think tanks. The group hit the headlines last year targeting Microsoft employees, after leaking emails it claimed were from leading pro-Brexit figures, like the former head of MI6 Richard Dearlove.

The gang also targeted three nuclear research laboratories in the United States last summer, reports Reuters. It has been active since at least 2017.

TA453, nicknamed Charming Kitten, has been active since at least late 2020. It appears to have a more diverse target pool than Seaborgium, states a report by security company Proofpoint. “Outlier campaigns have targeted medical researchers, an aerospace engineer, a realtor and travel agencies, among others,” it reads.

The gang has also been known to employ unorthodox tactics. In 2021 TA453 made headlines for masquerading as a Liverpudlian aerobics instructor in an effort to breach a US defence company.

“Using the social media persona ‘Marcella Flores’, TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defence contractor,” states another report by Proofpoint. 

Read more: How French cybercriminals stole $30m from banks

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.