Saturday, June 14, 2025
Homecyber securityMicrosoft Disrupted Russia-Linked APT SEABORGIUM Targeting NATO Countries

Microsoft Disrupted Russia-Linked APT SEABORGIUM Targeting NATO Countries

Published on

SIEM as a Service

Follow Us on Google News

Microsoft Threat Intelligence Center (MSTIC) has noticed and taken measures to interrupt campaigns launched by SEABORGIUM, a Russia-based actor launching persistent phishing, credential and data theft, intrusions, and hack-and-leak campaigns tied to espionage targeting NATO countries.

Insights into SEABORGIUM’s Activities

SEABORGIUM is active since 2017, a highly persistent threat actor, repeatedly targeting the same organizations over long periods of time. Once the attack is successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion.

It is related to the threat groups tracked as Callisto Group (F-Secure), TA446 (Proofpoint), and COLDRIVER (Google). It primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.

- Advertisement - Google News

Researchers say SEABORGIUM mainly focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. It is also been has been observed targeting former intelligence officials, experts in Russian affairs, and Russian citizens abroad.

Microsoft says SEABORGIUM often carries out an investigation of target individuals, with a focus on identifying legitimate contacts in the targets’ distant social network or sphere of influence.

Based on the research, the threat actor uses social media platforms, personal directories, and general open-source intelligence (OSINT) to supplement their reconnaissance efforts.

Example profile used by SEABORGIUM to conduct industry-specific reconnaissance

“MSTIC, in partnership with LinkedIn, has observed fraudulent profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest, Microsoft

Threat actors utilized fake identities to contact target individuals and begin a conversation with them to build a relationship and trap them into opening an attachment sent via phishing messages.

The phishing messages used PDF attachments and in some cases, they attached links to file or document hosting services, or to OneDrive accounts hosting the PDF documents.

A screenshot of a phishing email sent by SEABORGIUM to their target. The email impersonates the lead of an organization and informs the recipient of possible attackers against their organization. The email then tells the recipient to open an attached PDF file, disguised as analytical material for safety and informational awareness.

Actor impersonates the lead of an organization and emails select members of the organization with a cybersecurity-themed lure

A screenshot of an email sent by SEABORGIUM which used the Ukraine conflict as a social engineering lure. The email contains a PDF file, which the email sender mentions as a new paper about Ukraine they’d like the recipient to check.
Utilizing the war in Ukraine as a trick, attaching a PDF file to the email.

Upon clicking the URL, the target is directed to an actor-controlled server hosting a phishing framework, most often EvilGinx. The framework prompts the target for authentication, mirroring the sign-in page for a legitimate provider and intercepting any credentials.

After getting the credentials, the target is redirected to a website or document to complete the interaction.

SEABORGIUM has been observed to use stolen credentials and directly sign in to victim email accounts. It will even set up forwarding rules from victim inboxes to enable persistent data collection, Microsoft said.

Recommendations

  • Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
  • Configure Office 365 to disable email auto-forwarding.
  • Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single-factor authentication, to confirm the authenticity and investigate any anomalous activity.
  • Need multifactor authentication (MFA) for all users coming from all locations.

Leverage more secure implementations such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.

Sponsored: Rise of Remote Workers: A Checklist for Securing Your Network – Download Free White paper

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...