MaksymFilipchuk - stock.adobe.co
Russian spear phishing campaign escalates efforts toward critical UK, US and European targets
Russian hacking group Seaborgium refines its tactics in a continuation of attacks against targets including not-for-profit organisations with geopolitical affiliations
Russian state-sponsored hackers have become increasingly sophisticated at launching phishing attacks against critical targets in the UK, US and Europe over the past 12 months.
Threat actors have created fake personas, supported by social media accounts, fake profiles and academic papers, to lure targets into replying to sophisticated phishing emails.
“It's becoming much more elaborate, much more sophisticated, much more complete, because the social engineering has had to be more convincing than it is had to be in the past,” Sherrod DeGrippo, an independent threat intelligence expert told Computer Weekly.
Her comments came after the National Cyber Security Centre (NCSC) released an advisory warning about the continued cyber attacks associated with two groups based in Iran and Russia. The Russian group, identified by several aliases including Seaborgium, has recently targeted SNP MP Stewart McDonald.
DeGrippo said Russia and Iran are evolving toward attacks that are more carefully constructed in terms of the social engineering of the personas they create.
The sophistication of impersonation of the attacks by Seaborgium and other Russian hacking groups has escalated in the past 12 to 18 months. Threat actors have created full personas, including social media accounts and profiles.
With each successful attack, the threat actor is able to refine their tactics by generating fake profiles that are more convincing. Threat actors are generating entire websites and portals, to include references to the persona’s name and articles or academic papers.
The malicious actor generates fake websites, articles and papers to pose as researchers or journalists. In this way, the techniques used are becoming more elaborate and sophisticated, said DeGrippo.
Academics are a particularly attractive target for the hacking group. DeGrippo said, “If you're a professor at a university, that's typically not all you do. You also have some kind of speaking position. You also serve on a board somewhere. In some instances, you may also work at a law firm or work at a hospital.
“Most academics don't have a single role. If they specialise in anything international, like international law, atomic sciences, journalism, activism, then all the [threat actors] have to do is compromise that academic in one area."
Journalists targeted by Russia
Journalists are also considered a high-value targets by Russian threat actors. Sensitive off-record material acquired from sources is of high value to Russian state-sponsored groups. The intelligence gained may also be timely as it will be some of the earliest background information.
“They [journalists] in many ways have leaks, secrets, sensitive information,” said DeGrippo. The bad actor also has the choice to compromise the account and start sending emails posing as the target, she added: “Because at that point, you can start asking questions of sources that are a unique interest to cyber espionage intelligence for Russian interests.”
'The NCSC advisory points out the similarity between the tactics employed by TA453 and Seaborgium but explains that, according to the NCSC’s own industry reporting, the groups are not working together.
TA453, also known as APT42/Charming Kitten/Yellow Garuda/ITG18, is an Iranian-based hacking group that has been using techniques such as impersonation and reconnaissance to collect sensitive information.
Alexis Dorais-Joncas, senior manager at Proofpoint, which began investigations into Seaborgium - which is also referred to by the US cyber security company as TA446 - in early 2021.
Dorais-Joncas said that Proofpoint has seen Seaborgium target the education sector and US federal civilian targets, as well as not-for-profit groups (NGOs) with geopolitical affiliations. The Russian hacking group typically starts its campaigns with benign emails. Only after the group has ascertained if the email is active do they send phishing emails with malicious links intended to harvest credentials.
Dorais-Joncas said the activity by Seaborgium “relies heavily on reconnaissance and impersonation for delivery.”
While the nature of Seaborgium’s attacks may not be unique, the tactics employed by the Russian group have evolved and become more refined.
Whack-a-mole
Dorais-Joncas describes Seaborgium as playing a game of "whack-a-mole" whether takedowns are occurring or not: “The threat actor rapidly registers and changes which personas and aliases they are mimicking in the consumer email addresses and infrastructure they create".
He added: "Proofpoint analysts have observed various file types attached, delivery chains, and methods of evasion within hours of initial delivery to the end of a campaign."
DeGrippo, a former senior director of threat research and detection at Proofpoint, said the traditional tactics, techniques and procedures used by Seaborgium are particularly insidious.
A malicious actor logs in as a benign person and redirects emails to their own infrastructure, “meaning that person continues to operate their email, not knowing at any point that it has been compromised by a Russian threat actor,” she said.
The Russian actor continues to get copies of the emails the target receives. The bad actor may never leverage the account to send emails from and only use it to make decisions based on intelligence collection.
Cyber security firm Sekoia.io stated that Seaborgium (also referred to as Calisto) contributes to Russian intelligence collection and specifically identified crime-related evidence and/or international justice procedures. The French group stated that the collection of information of this nature is likely to anticipate and build a counter-narrative on future finger-pointing at Russia.
DeGrippo said the methods employed suggest they are state-supported. Attackers go to great lengths to ascertain if the email is operational by sending out initial emails to see if the subject responds: “Crimeware actors don't do that; crimeware actors aren't operating on behalf of a government entity.”
Dorais-Joncas said the choice of targets has sometimes been timed with events in the Ukrainian war. “Nuclear energy-related targeting timed with on-the-ground battles around power plants, or defence sector targeting when the topic of military aid and weapons delivery to Ukraine appeared in the news cycle,” he said.
The release of the NCSC’s advisory may be a reaction to the apparent escalation in the sophistication of Seaborgium’s attacks. Dorais-Joncas argued that the advisory raises “awareness for these specific organisations…at least they know that they are a target of a very advanced threat actor.”
He said that “by collaborating with other organisations in the security space, we can produce an effective and holistic method of tracking and curtailing the activity of threat actors such as TA446. Through collaborations of complementary and differing visibility, we are all in better positions to provide the most context and information to targeted users.”
Seaborgium was responsible for the hacking of the Protonmail account owned by Richard Dearlove, the former head of MI6.
Dorais-Joncas said that protecting email users should be a top priority for all organisations, in particular those heavily targeted industries with high-levels of email traffic. Focusing on a cyber security strategy based on people, processes, and technology should be a priority. This involves training employees to identify malicious emails and using email security tools to block threats before they reach users’ inboxes.
Threats can be mitigated by putting the right processes in place. “As with any other attack involving credential phishing, implementing robust multifactor authentication on all possible systems would help mitigate the impact of eventual stolen credentials,” Dorais-Joncas said.
Read more about Seaborgium
- Scottish National Party MP Stewart McDonald says his personal emails have been hacked by a group linked to the Russian state in a targeted phishing attack.
- Spearphishing campaigns likely linked to Iranian and Russian espionage activity are targeting persons of interest in the UK, warns the NCSC.
- Hack by Russian-linked ColdRiver group exposed former MI6 chief Richard Dearlove’s contacts and email communications with government, military, intelligence and political officials.
- Former UK spy boss Richard Dearlove leaked names of MI6 secret agent recruiters in China to back an aggressive right-wing US campaign against tech company Huawei. His emails were hacked and then leaked – probably by Russian intelligence.