Microsoft Disrupted Russia

Microsoft Threat Intelligence Center (MSTIC) has noticed and taken measures to interrupt campaigns launched by SEABORGIUM, a Russia-based actor launching persistent phishing, credential and data theft, intrusions, and hack-and-leak campaigns tied to espionage targeting NATO countries.

Insights into SEABORGIUM’s Activities

SEABORGIUM is active since 2017, a highly persistent threat actor, repeatedly targeting the same organizations over long periods of time. Once the attack is successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion.

It is related to the threat groups tracked as Callisto Group (F-Secure), TA446 (Proofpoint), and COLDRIVER (Google). It primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.

Researchers say SEABORGIUM mainly focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. It is also been has been observed targeting former intelligence officials, experts in Russian affairs, and Russian citizens abroad.

Microsoft says SEABORGIUM often carries out an investigation of target individuals, with a focus on identifying legitimate contacts in the targets’ distant social network or sphere of influence.

Based on the research, the threat actor uses social media platforms, personal directories, and general open-source intelligence (OSINT) to supplement their reconnaissance efforts.

Example profile used by SEABORGIUM to conduct industry-specific reconnaissance

“MSTIC, in partnership with LinkedIn, has observed fraudulent profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest, Microsoft

Threat actors utilized fake identities to contact target individuals and begin a conversation with them to build a relationship and trap them into opening an attachment sent via phishing messages.

The phishing messages used PDF attachments and in some cases, they attached links to file or document hosting services, or to OneDrive accounts hosting the PDF documents.

A screenshot of a phishing email sent by SEABORGIUM to their target. The email impersonates the lead of an organization and informs the recipient of possible attackers against their organization. The email then tells the recipient to open an attached PDF file, disguised as analytical material for safety and informational awareness.

Actor impersonates the lead of an organization and emails select members of the organization with a cybersecurity-themed lure

A screenshot of an email sent by SEABORGIUM which used the Ukraine conflict as a social engineering lure. The email contains a PDF file, which the email sender mentions as a new paper about Ukraine they’d like the recipient to check.
Utilizing the war in Ukraine as a trick, attaching a PDF file to the email.

Upon clicking the URL, the target is directed to an actor-controlled server hosting a phishing framework, most often EvilGinx. The framework prompts the target for authentication, mirroring the sign-in page for a legitimate provider and intercepting any credentials.

After getting the credentials, the target is redirected to a website or document to complete the interaction.

SEABORGIUM has been observed to use stolen credentials and directly sign in to victim email accounts. It will even set up forwarding rules from victim inboxes to enable persistent data collection, Microsoft said.

Recommendations

  • Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
  • Configure Office 365 to disable email auto-forwarding.
  • Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single-factor authentication, to confirm the authenticity and investigate any anomalous activity.
  • Need multifactor authentication (MFA) for all users coming from all locations.

Leverage more secure implementations such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.

Sponsored: Rise of Remote Workers: A Checklist for Securing Your Network – Download Free White paper

Leave a Reply