Microsoft Destroys Russian Cyber Espionage Group That Impersonated It in Email-based Phishing Campaigns
SEABORGIUM has targeted 30 organizations in 2022, including defense and intelligence consulting companies, NGOs and IGOs, think tanks, and higher education organizations.
Microsoft on Monday said it disrupted a phishing and data theft campaign by a known cybercriminal group, SEABORGIUM. The Rusia-based group has targeted organizations in NATO countries, Baltics, Nordics, and Eastern Europe to conduct cyber espionage and information operations.
Microsoft is confident that SEABORGIUM isn’t financially motivated. Tracked as TA446 by Proofpoint, Callisto by F-Secure, and COLDRIVER by Google, the entity uses phishing as the initial attack vector, intrudes into networks and systems, and steals confidential data.
“Once successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion, Microsoft noted. The company said SEABORGIUM typically targets the same organization repeatedly and doesn’t change tactics or methodology very often.
“SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries,” Microsoft noted.
Given their modus operandi, SEABORGIUM primarily targets defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. The syndicate has targeted 30 organizations in 2022. However, as much as 30% of SEABORGIUM activity was intended at consumer email addresses.
As such, SEABORGIUM threat actors first conduct reconnaissance to find authentic contacts of their target on social networks such as LinkedIn. They may also leverage personal directories and general open-source intelligence. Threat actors then establish contact through newly registered accounts.
In the case of individuals, the attackers first build a rapport with the target. This involves sending a benign email. A reply from any employee or individual is followed up with emails with malicious attachments disguised as files or document hosting services such as OneDrive.
SEABORGIUM Phishing Email | Source: Microsoft
See More: Kaspersky Uncloaks Cyber Espionage Campaign by China’s TA428 Since Jan 2022
Opening the attachment prompts the target to click on a button displayed after presenting a failed attempt at loading the file. This button contains an obfuscated link that, if clicked, takes the target user to a landing page supported by attacker-controlled backend infrastructure such as EvilGinx.
SEABORGIUM Phishing Email Attachment | Source: Microsoft
The landing page imitates the sign-in page of a legitimate service. Once the threat actors obtain credentials and cookies, they exfiltrate data and set themselves up for long-term data collection using email auto-forwarding and other techniques.
Microsoft was able to disable SEABORGIUM accounts successfully and shared a list of 69 domains associated with the Russia-based cybercriminal entity.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
MORE ON CYBERCRIME
