Wednesday, May 22, 2024

Microsoft Disrupted Russia-Linked APT SEABORGIUM Targeting NATO Countries

Microsoft Threat Intelligence Center (MSTIC) has noticed and taken measures to interrupt campaigns launched by SEABORGIUM, a Russia-based actor launching persistent phishing, credential and data theft, intrusions, and hack-and-leak campaigns tied to espionage targeting NATO countries.

Insights into SEABORGIUM’s Activities

SEABORGIUM is active since 2017, a highly persistent threat actor, repeatedly targeting the same organizations over long periods of time. Once the attack is successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion.

It is related to the threat groups tracked as Callisto Group (F-Secure), TA446 (Proofpoint), and COLDRIVER (Google). It primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.

Researchers say SEABORGIUM mainly focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. It is also been has been observed targeting former intelligence officials, experts in Russian affairs, and Russian citizens abroad.

Microsoft says SEABORGIUM often carries out an investigation of target individuals, with a focus on identifying legitimate contacts in the targets’ distant social network or sphere of influence.

Based on the research, the threat actor uses social media platforms, personal directories, and general open-source intelligence (OSINT) to supplement their reconnaissance efforts.

Example profile used by SEABORGIUM to conduct industry-specific reconnaissance

“MSTIC, in partnership with LinkedIn, has observed fraudulent profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest, Microsoft

Threat actors utilized fake identities to contact target individuals and begin a conversation with them to build a relationship and trap them into opening an attachment sent via phishing messages.

The phishing messages used PDF attachments and in some cases, they attached links to file or document hosting services, or to OneDrive accounts hosting the PDF documents.

A screenshot of a phishing email sent by SEABORGIUM to their target. The email impersonates the lead of an organization and informs the recipient of possible attackers against their organization. The email then tells the recipient to open an attached PDF file, disguised as analytical material for safety and informational awareness.

Actor impersonates the lead of an organization and emails select members of the organization with a cybersecurity-themed lure

A screenshot of an email sent by SEABORGIUM which used the Ukraine conflict as a social engineering lure. The email contains a PDF file, which the email sender mentions as a new paper about Ukraine they’d like the recipient to check.
Utilizing the war in Ukraine as a trick, attaching a PDF file to the email.

Upon clicking the URL, the target is directed to an actor-controlled server hosting a phishing framework, most often EvilGinx. The framework prompts the target for authentication, mirroring the sign-in page for a legitimate provider and intercepting any credentials.

After getting the credentials, the target is redirected to a website or document to complete the interaction.

SEABORGIUM has been observed to use stolen credentials and directly sign in to victim email accounts. It will even set up forwarding rules from victim inboxes to enable persistent data collection, Microsoft said.


  • Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
  • Configure Office 365 to disable email auto-forwarding.
  • Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single-factor authentication, to confirm the authenticity and investigate any anomalous activity.
  • Need multifactor authentication (MFA) for all users coming from all locations.

Leverage more secure implementations such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.

Sponsored: Rise of Remote Workers: A Checklist for Securing Your Network – Download Free White paper


Latest articles

OmniVision Technologies Cyber Attack, Hackers Stolen Personal Data in Ransomware Attack

OmniVision Technologies, Inc. (OVT) recently disclosed a significant security breach that compromised its clients'...

Critical Flaw In Confluence Server Let Attackers Execute Arbitrary Code

The widely used team workspace corporate wiki Confluence has been discovered to have a...

Threat Actors Leverage Bitbucket Artifacts to Breach AWS Accounts

In a recent investigation into Amazon Web Services (AWS) security breaches, Mandiant uncovered a...

Hackers Breached Western Sydney University Microsoft 365 & Sharepoint Environments

Western Sydney University has informed approximately 7,500 individuals today of an unauthorized access incident...

Memcyco Report Reveals Only 6% Of Brands Can Protect Their Customers From Digital Impersonation Fraud

Memcyco Inc., provider of digital trust technology designed to protect companies and their customers...

DoppelGänger Attack: Malware Routed Via News Websites And Social Media

A Russian influence campaign, DoppelGänger, leverages fake news websites (typosquatted and independent) to spread...

Critical Memory Corruption In Cloud Logging Infrastructure Enables Code Execution Attack

A new critical vulnerability has been discovered in Fluent Bit's built-in HTTP server, which...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles