SEABORGIUM, TA453 continue spearphishing attacks against organizations, UK NCSC warns

The U.K.’s National Cyber Security Centre (NCSC) disclosed that Russia-based SEABORGIUM and Iran-based TA453 hacker groups continue to use spear-phishing attacks against targeted organizations and individuals in the U.K., and other areas of interest, primarily for information gathering activity. 

“Throughout 2022, SEABORGIUM and TA453 targeted sectors included academia, defence, governmental organisations, NGOs, think-tanks, as well as politicians, journalists, and activists,” the NCSC alert said on Thursday. “Although there is similarity in the TTPs and targeting profiles, these campaigns are separate and the two groups are not collaborating.”

The SEABORGIUM group uses various identifies including Callisto Group, TA446, COLDRIVER, and TAG-53, while the TA453 group also goes by APT42, Charming Kitten, Yellow Garuda, and ITG18. 

Last August, the Microsoft Threat Intelligence Center (MSTIC) disclosed that it has observed and taken actions to disrupt campaigns launched by SEABORGIUM, a hacker group that the software giant has tracked since 2017. Initially from Russia, the group has been identified as a highly persistent threat actor that frequently targets the same organizations over long periods.

From the beginning of last year, Microsoft observed SEABORGIUM campaigns targeting over 30 organizations and personal accounts of people of interest. The group primarily targets NATO countries, particularly the U.S. and the U.K., with occasional targeting of other countries in the Baltics, the Nordics, and Eastern Europe. The targeting is also said to have included the Ukrainian government sector in the months leading up to the invasion by Russia and organizations involved in supporting roles for the war in Ukraine.

NCSC describes the activity being typical of spear-phishing campaigns, where an actor targets a specific individual or group, using information known to be of interest to the targets to engage them. In a spear-phishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.

The alert said that using open-source resources to conduct reconnaissance, including social media and professional networking platforms, SEABORGIUM and TA453 identify hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts. Furthermore, they have also created fake social media or networking profiles that impersonate respected experts and used supposed conference or event invitations, as well as false approaches from journalists.

Both SEABORGIUM and TA453 use webmail addresses from different providers, such as Outlook, Gmail, and Yahoo in their initial approach, impersonating known contacts of the target or eminent names in the target’s field of interest or sector. The hackers have also created malicious domains resembling legitimate organizations to appear authentic.

MSTIC had provided a list of observed Indicators of Compromise (IOCs) in their SEABORGIUM blog, although this should not be considered exhaustive, the NCSC warned.

The alert estimated that SEABORGIUM and TA453 have predominantly sent spear-phishing emails to targets’ email addresses, although targets’ corporate or business email addresses have also been used. The hackers may use personal emails to circumvent security controls in place on corporate networks.

“Having taken the time to research their targets’ interests and contacts to create a believable approach, SEABORGIUM and TA453 now start to build trust,” the NCSC said. “They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport.”

Once trust is established, the attacker uses typical phishing tradecraft and shares a link, apparently to a document or website of interest, thereby leading the target to a hacker-controlled server, prompting the target to enter account credentials. “The malicious link may be a URL in an email message, or the actor may embed a link in a document on OneDrive, GoogleDrive, or other file-sharing platforms,” NCSC said.

“TA453 has even shared malicious links disguised as Zoom meeting URLs, and in one case, even set up a Zoom call with the target to share the malicious URL in the chat bar during the call,” the alert said. Industry partners have also reported the use of multi-persona impersonation (use of two or more actor-controlled personas on a spear-phishing thread) to add the appearance of legitimacy.

Irrespective of the delivery method used, once the target clicks on the malicious URL, they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service. Any credentials entered at this point are now compromised.

NCSC said that the SEABORGIUM and TA453 hackers then use the stolen credentials to log in to targets’ email accounts, from where they are known to access and steal emails and attachments from the victim’s inbox. “They have also set-up mail-forwarding rules, giving them ongoing visibility of victim correspondence. The actors have also used their access to a victim email account to access mailing-list data and victim’s contacts lists. The actors then use this information for follow-on targeting and have also used compromised email accounts for further phishing activity,” the agency added.

Although spear-phishing is an established technique used by many actors, SEABORGIUM and TA453 continue to use it successfully and evolve the technique to maintain their success, it concluded.

Organizations have been called upon to use strong passwords and multi-factor authentication, which helps reduce the impact of password compromises. They have also been advised to protect their devices and networks by keeping them up to date and using the latest supported versions, promptly applying security updates, deploying antivirus, and scanning regularly to guard against known malware threats. 

They also warned to exercise vigilance, as spear-phishing emails are tailored to avoid suspicion. Additionally, organizations must enable email providers’ automated email scanning features and disable mail-forwarding, as attackers have been observed to set up mail-forwarding rules to maintain the visibility of target emails.

The NCSC released in October new cybersecurity guidance to help organizations assess and gain confidence in the cybersecurity of their supply chains. The advisory comes in response to growing trends in supply chain attacks and calls upon organizations to work with suppliers to identify weaknesses and boost resilience.

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) warned network defenders about the malicious use of legitimate remote monitoring and management (RMM) software. The agencies have called upon organizations to review the IOCs and mitigations sections in the advisory. Furthermore, they must apply the recommendations to protect against the malicious use of legitimate RMM software.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.