UK NCSC warns businesses of ongoing Russian, Iranian spear-phishing campaigns

The National Cyber Security Centre security advisory explains why spear-phishing campaigns by Russia-based SEABORGIUM and Iran-based TA453 threat group pose a risk.

Cybersecurity  >  Email security threats, such as phishing
CHUYN / Getty Images

The UK’s National Cyber Security Centre (NCSC) has issued a security advisory warning businesses of continued spear-phishing campaigns by Russia-based threat group SEABORGIUM and Iran-based threat group TA453. Throughout 2022, SEABORGIUM and TA453 targeted UK sectors including academia, defence, governmental organisations, NGOs, think-tanks, as well as politicians, journalists and activists, the NCSC wrote. The advisory seeks to raise awareness of this activity for individuals and organisations in sectors known to be of interest to these actors. Recent research linked both groups to nation state intelligence interests.

SEABORGIUM, TA453 use open-source resources for attack reconnaissance

SEABORGIUM (Callisto Group/TA446/COLDRIVER/TAG-53) and TA453 (APT42/Charming Kitten/Yellow Garuda/ITG18) use open-source resources to conduct reconnaissance and identify hooks to engage their targets, the NCSC stated. “They take the time to research their interests and identify their real-world social or professional contacts. They have also created fake social media or networking profiles that impersonate respected experts, and used supposed conference or event invitations, as well as false approaches from journalists.”

Both SEABORGIUM and TA453 use webmail addresses from different providers (including Outlook, Gmail, and Yahoo) in their initial approach, impersonating known contacts of a target or eminent names in the target’s field of interest or sector, the NCSC added. “The actors have also created malicious domains resembling legitimate organisations to appear authentic.”

Both threat groups predominantly send spear-phishing emails to targets’ personal email addresses, likely to circumvent corporate network security controls. They also typically seek to establish benign contact with some correspondence between attacker and target as the attacker builds rapport, the NCSC wrote.

SEABORGIUM, TA453 steal credentials, perform follow-on attacks

With trust established, attackers share a link to a phony document or website of interest, which leads the target to an actor-controlled server, prompting them to enter account credentials. “The malicious link may be a URL in an email message, or the actor may embed a link in a document on OneDrive, Google Drive, or other file-sharing platforms,” the NCSC wrote. “TA453 has even shared malicious links disguised as Zoom meeting URLs, and in one case, even set up a Zoom call with the target to share the malicious URL in the chat bar during the call.”

Reports have also indicated the use of multi-persona impersonation to add the appearance of legitimacy. From there, SEABORGIUM and TA453 actors use stolen credentials to log in to targets’ email accounts to access and steal emails and attachments, along with setting up mail-forwarding rules for ongoing visibility of victim correspondence. “The actors have also used their access to a victim email account to access mailing-list data and victim’s contacts lists. The actors then use this information for follow-on targeting and have also used compromised email accounts for further phishing activity.”

SEABORGIUM, TA453 groups linked to nation-state intelligence agendas

Recent research has linked both SEABORGIUM and TA453 activity to nation state intelligence agendas. In December last year, Proofpoint published findings of TA453’s activity between 20220 and 2022, highlighting new-to-TA453 phishing techniques including compromised accounts, malware, and confrontational lures and campaigns targeting medical researchers, an aerospace engineer, a realtor, and travel agencies, among others. “Proofpoint judges with moderate confidence that this atypical activity reflects TA453’s dynamic support to ad hoc Islamic Revolutionary Guard Corps’ (IRGC) intelligence requirements,” researchers wrote.

In August 2022, the Microsoft Threat Intelligence Center (MSTIC) revealed that, since the beginning of 2022, SEABORGIUM was observed targeting over 30 organisations, in addition to personal accounts of people of interest. “SEABORGIUM primarily targets NATO countries, particularly the US and the UK, with occasional targeting of other countries in the Baltics, the Nordics, and Eastern Europe,” read a MSTIC blog citing objectives and victimology that align closely with Russian state interests. “Within the target countries, SEABORGIUM primarily focuses operations on defence and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education.”

Copyright © 2023 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)