View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 16, 2022updated 17 Aug 2022 4:49am

Are Russian spies targeting Microsoft’s customers through Seaborgium hacking gang?

“Significant threat" to customers uncovered by Microsoft. Russia gets the blame.

By Claudia Glover

Microsoft has warned a “highly persistent” cybercriminal gang, Seaborgium, is carrying out persistent phishing and credential theft campaigns on its customers in countries which are part of the Nato defence alliance.

Seaborgium Microsoft
Microsoft has warned of the threat posed by Russia-backed cybercrime gang Seaborgium (Photo courtesy of HJBC/iStock)

The gang appears to be closely aligned with the Russian government, a report from the Microsoft Threat Intelligence Centre (MSTIC) says. “MSTIC assesses that information collected during Seaborgium intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations,” the report notes.

What we know about Seaborgium

Also known as Callisto, Cold River and TA446, Seaborgium primarily focus on defence and intelligence consulting companies, intergovernmental organisations and think tanks.

The group hit the headlines earlier this year when it leaked emails it claimed were from leading pro-Brexit figures in the British establishment, including former head of MI6 Richard Dearlove and campaigner Baroness Stuart.

Microsoft has tracked that 30% of Seaborgium activity is targeted at consumer email accounts, meaning the group is targeting individuals as well, explains the report released yesterday by the MSTIC.

Since the beginning of 2022, Microsoft has observed Seaborgium campaigns targeting over 30 organisations, it says, “in addition to personal accounts of people of interest”. It primarily targets Nato counties, particularly the US and the UK.

The hacking gang is known for persistently targeting the same organisation over long periods of time. “Once successful,” the report reads, “it slowly infiltrates targeted organisations’ social networks through constant impersonation, rapport building and phishing to deepen their intrusion.”

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

The group has been successfully compromising people and organisations of interest for several years through consistent campaigns, “rarely changing methodologies or tactics”, states Microsoft.

MSTIC says it has been working with the Google Threat Analysis Group and security company ProofPoint to track and disrupt the gang.

Seaborgium’s tactics: fake LinkedIn profiles and open-source intelligence

Based on some of the impersonation tactics and targeting observed, the suspects may use social media platforms, personal directories and general open-source intelligence (OSINT) to shape their campaigns. Microsoft-owned LinkedIn hosts numerous fake profiles attributed to Seaborgium, MSTIC says.

“In accordance with their policies, LinkedIn terminated any account identified as conducting inauthentic or fraudulent behaviour,” states the report.

The gang register new email accounts at consumer email providers under the legitimate aliases of names of impersonated individuals. “We have observed Seaborgium returning to and reusing historical accounts that match the industry of the ultimate target,” the report explains. “In one case, we observed Seaborgium returning to an account it had not used in a year, indicating potential tracking and reusing of accounts if relevant to targets’ verticals.”

Gang members will then use these aliases to send the target a phishing email with a PDF attachment. Once opened, the attachment will show an error message dictating that the PDF could not be opened, showing a button they should click on to ‘try again’.

If clicked, this button brings the victim to a landing page running phishing frameworks, displaying a login form designed to lift the victim’s credentials. Once they have gained access, the gang will “exfiltrate emails and attachments from the inboxes of victims,” explains Microsoft, or, in limited cases, “set up forwarding rules from victim inboxes to actor-controlled dead drop accounts where the actor has long-term access to collected data.”

MSTIC has been working with colleagues to disable accounts used by the gang “for reconnaissance, phishing and email collection”.

Microsoft’s OneDrive service has been a particularly targeted system, explains the report. “As an outcome of these service abuse investigations, MSTIC partnered with abuse teams in Microsoft to disable accounts used by the actor for reconnaissance, phishing, and email collection,” it says.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit

Read more: South Staffordshire Water hit with cyberattack from CL0P

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.