Microsoft has warned a “highly persistent” cybercriminal gang, Seaborgium, is carrying out persistent phishing and credential theft campaigns on its customers in countries which are part of the Nato defence alliance.
The gang appears to be closely aligned with the Russian government, a report from the Microsoft Threat Intelligence Centre (MSTIC) says. “MSTIC assesses that information collected during Seaborgium intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations,” the report notes.
What we know about Seaborgium
Also known as Callisto, Cold River and TA446, Seaborgium primarily focus on defence and intelligence consulting companies, intergovernmental organisations and think tanks.
The group hit the headlines earlier this year when it leaked emails it claimed were from leading pro-Brexit figures in the British establishment, including former head of MI6 Richard Dearlove and campaigner Baroness Stuart.
Microsoft has tracked that 30% of Seaborgium activity is targeted at consumer email accounts, meaning the group is targeting individuals as well, explains the report released yesterday by the MSTIC.
Since the beginning of 2022, Microsoft has observed Seaborgium campaigns targeting over 30 organisations, it says, “in addition to personal accounts of people of interest”. It primarily targets Nato counties, particularly the US and the UK.
The hacking gang is known for persistently targeting the same organisation over long periods of time. “Once successful,” the report reads, “it slowly infiltrates targeted organisations’ social networks through constant impersonation, rapport building and phishing to deepen their intrusion.”
The group has been successfully compromising people and organisations of interest for several years through consistent campaigns, “rarely changing methodologies or tactics”, states Microsoft.
MSTIC says it has been working with the Google Threat Analysis Group and security company ProofPoint to track and disrupt the gang.
Seaborgium’s tactics: fake LinkedIn profiles and open-source intelligence
Based on some of the impersonation tactics and targeting observed, the suspects may use social media platforms, personal directories and general open-source intelligence (OSINT) to shape their campaigns. Microsoft-owned LinkedIn hosts numerous fake profiles attributed to Seaborgium, MSTIC says.
“In accordance with their policies, LinkedIn terminated any account identified as conducting inauthentic or fraudulent behaviour,” states the report.
The gang register new email accounts at consumer email providers under the legitimate aliases of names of impersonated individuals. “We have observed Seaborgium returning to and reusing historical accounts that match the industry of the ultimate target,” the report explains. “In one case, we observed Seaborgium returning to an account it had not used in a year, indicating potential tracking and reusing of accounts if relevant to targets’ verticals.”
Gang members will then use these aliases to send the target a phishing email with a PDF attachment. Once opened, the attachment will show an error message dictating that the PDF could not be opened, showing a button they should click on to ‘try again’.
If clicked, this button brings the victim to a landing page running phishing frameworks, displaying a login form designed to lift the victim’s credentials. Once they have gained access, the gang will “exfiltrate emails and attachments from the inboxes of victims,” explains Microsoft, or, in limited cases, “set up forwarding rules from victim inboxes to actor-controlled dead drop accounts where the actor has long-term access to collected data.”
MSTIC has been working with colleagues to disable accounts used by the gang “for reconnaissance, phishing and email collection”.
Microsoft’s OneDrive service has been a particularly targeted system, explains the report. “As an outcome of these service abuse investigations, MSTIC partnered with abuse teams in Microsoft to disable accounts used by the actor for reconnaissance, phishing, and email collection,” it says.
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.