The UK's National Cyber Security Centre (NCSC) has issued a warning over the continual cyberattacks perpetrated by Russian and Iranian hacker groups.
Its report says SEABORGIUM (AKA: Callisto Group/TA446/COLDRIVER/TAG-53) and TA453 (AKA: APT42/Charming Kitten/Yellow Garuda/ITG18) are using spear-phishing techniques to target institutions and individuals with the aim of gathering intel.
Although the two groups do not appear in be in collusion, they are separately attacking the same types of organizations, which last year included government bodies, NGOs, and those in the defense and education sectors, as well as individuals such politicians, journalists and activists.
Playing the long game
Spear-phishing is a more refined phishing technique, whereby the threat actor pretends to have information that is of particular interest to their victim. In the case of SEABORGIUM and TA453, they ascertain this by researching freely available resources, such as social media profiles and professional networking platforms, to learn about their target and the identities of people they know.
Both groups have even gone as far as creating fake social media profiles themselves, to impersonate their target's known contacts, as well as experts within their field and journalists, all in a effort to lure their catch.
There is usually unharmful contact at first, as SEABORGIUM and TA453 seek to establish a relationship with their target to gain their trust. The NCSC notes that this can last for an extended period.
Once they have, they will then usually deploy a malicious link, wither in an email or embedded within a shared document on platforms such as Microsoft One Drive or Google Drive.
The NCSC reports that "in one case, [TA453] even set up a Zoom call with the target to share the malicious URL in the chat bar during the call." The use of multiple fake personas in a single phishing attack has also been reported, in an effort to bolster the façade.
Following these links will usually take the victim to a fake login page controlled by the attackers, and once they enter their credentials, they are stolen. With these, the hackers then log into their victims' email accounts to steal emails, attachments, and also forward incoming emails to their own accounts to continually spy on them.
What's more, they then use the saved contacts in the compromised email account to find yet more victims in follow-on attacks and start the process all over again.
Both SEABORGIUM and TA453 use accounts from common email providers, such as Outlook and Gmail, to create spoof identities when first approaching their target. They have also created fake domains for seemingly legitimate organizations. Those that are currently known to be linked to SEABORGIUM have been published in a list courtesy of the Microsoft Threat Intelligence Center (MSTIC).
Cybersecurity firm Proofpoint has been on the tail of the Iranian TA453 group since 2020, largely echoing the same findings as the NCSC: "[TA453] campaigns may kick off with weeks of benign conversations from actor-created accounts before attempted exploitation."
They also noted that other targets from the group have included medical researchers, an aerospace engineer, a realtor, and travel agencies. In addition, the firm issued the following warning:
"Researchers involved in international security, particularly those specializing in Middle Eastern studies or nuclear security, should maintain a heightened sense of awareness when receiving unsolicited emails. For example, experts that are approached by journalists should check the publication’s website to see if the email address belongs to a legitimate reporter."
- To protect your business, consider using the best firewall
