Microsoft Disrupted Russia-Linked APT SEABORGIUM Targeting NATO Countries

Microsoft Threat Intelligence Center (MSTIC) has noticed and taken measures to interrupt campaigns launched by SEABORGIUM, a Russia-based actor launching persistent phishing, credential and data theft, intrusions, and hack-and-leak campaigns tied to espionage targeting NATO countries.

Insights into SEABORGIUM’s Activities

SEABORGIUM is active since 2017, a highly persistent threat actor, repeatedly targeting the same organizations over long periods of time. Once the attack is successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion.

It is related to the threat groups tracked as Callisto Group (F-Secure), TA446 (Proofpoint), and COLDRIVER (Google). It primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.

Researchers say SEABORGIUM mainly focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. It is also been has been observed targeting former intelligence officials, experts in Russian affairs, and Russian citizens abroad.

Microsoft says SEABORGIUM often carries out an investigation of target individuals, with a focus on identifying legitimate contacts in the targets’ distant social network or sphere of influence.

Based on the research, the threat actor uses social media platforms, personal directories, and general open-source intelligence (OSINT) to supplement their reconnaissance efforts.

“MSTIC, in partnership with LinkedIn, has observed fraudulent profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest, Microsoft

Threat actors utilized fake identities to contact target individuals and begin a conversation with them to build a relationship and trap them into opening an attachment sent via phishing messages.

The phishing messages used PDF attachments and in some cases, they attached links to file or document hosting services, or to OneDrive accounts hosting the PDF documents.

Actor impersonates the lead of an organization and emails select members of the organization with a cybersecurity-themed lure

Upon clicking the URL, the target is directed to an actor-controlled server hosting a phishing framework, most often EvilGinx. The framework prompts the target for authentication, mirroring the sign-in page for a legitimate provider and intercepting any credentials.

After getting the credentials, the target is redirected to a website or document to complete the interaction.

SEABORGIUM has been observed to use stolen credentials and directly sign in to victim email accounts. It will even set up forwarding rules from victim inboxes to enable persistent data collection, Microsoft said.

Recommendations

• Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
• Configure Office 365 to disable email auto-forwarding.
• Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single-factor authentication, to confirm the authenticity and investigate any anomalous activity.
• Need multifactor authentication (MFA) for all users coming from all locations.

Leverage more secure implementations such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.

Sponsored: Rise of Remote Workers: A Checklist for Securing Your Network – Download Free White paper