Recorded Future details TAG-53 activity used for Russia-aligned espionage operations

Cybersecurity company Recorded Future profiled threat activity group TAG-53’s credential harvesting infrastructure used for Russia-aligned espionage operations. The group’s activity was identified through a combination of network intelligence and analysis derived from open-source reporting. TAG-53 has used domains masquerading as organizations across multiple industry verticals, with a particular focus on government, intelligence, and military industries.

Since July, Recorded Future’s Insikt Group observed the recurring use of similar infrastructure by the TAG-53, which likely overlaps with other infrastructure tactics, techniques, and procedures (TTPs) previously attributed to Callisto Group, COLDRIVER, and SEABORGIUM, who have been linked to activity aligning with Russian state interests, according to a report released this Monday. “Insikt Group has observed the recurring use of common traits by TAG-53 when curating its infrastructure, including the use of domain names employing a specific pattern construct along with Let’s Encrypt TLS certificates, the use of a specific cluster of hosting providers, and the use of a small cluster of autonomous systems,” it added.

“TAG-53 infrastructure was found to contain a spoofed Microsoft login page masquerading as a legitimate military weapons and hardware supplier in the United States, suggesting that some TAG-53 infrastructure has likely already been operationalized,” the report said. “Based on historical public reporting on overlapping TAG-53 campaigns, it is likely that this credential harvesting activity is enabled in part through phishing.”

The TAG-53 group continues to use particular stylistic structures when registering malicious domains alongside the use of specific domain registrars with IP addresses that reside in a small cluster of autonomous systems.

In August, Microsoft published in collaboration with Google’s Threat Analysis Group (TAG) and Proofpoint’s Threat Research Team detailed SEABORGIUM’s phishing operations. At the time, Microsoft assessed that SEABORGIUM originates from Russia and has ‘objectives and victimology that align closely with Russian state interests.’ Additionally, Microsoft denotes that SEABORGIUM shares overlaps with Callisto Group, TA446, and COLDRIVER and indicates that the hacker had carried out persistent phishing and credential theft campaigns that have led to intrusions and data theft. SEABORGIUM primarily focuses its targeting on NATO countries, including a specific emphasis on the United States and the United Kingdom. The group also targeted Ukraine in the run-up to Russia’s full-scale invasion of the country in February 2022.

Recorded Future also pointed to Google’s TAG reported in March and later updated in May that COLDRIVER has conducted credential phishing campaigns using Gmail accounts targeting nongovernmental organizations and think tanks, journalists, and government and defense officials. TAG also suggests that COLDRIVER’s TTPs have evolved over time, moving towards incorporating PDF or DOC file links that are hosted on Google Drive and Microsoft OneDrive within its phishing emails.

Last week, PwC detailed that Blue Callisto (a.k.a SEABORGIUM, Callisto Group) is likely a Russia-based threat actor which primarily conducts phishing attacks for espionage purposes since at least 2017. The firm identified that the hacker is interested in acquiring credentials from U.S. and European government officials and organizations linked to national security matters. 

“In 2017 it was reported that the threat actor targeted the UK foreign office, and we have also observed its interest in UK and US universities in 2020 and 2022,” PwC said in its post. “Since the Russo-Ukraine war began in 2022, we have observed Blue Callisto taking an increased interest in Ukraine, targeting at least one private Ukrainian company related to logistics. We assess Blue Callisto is highly likely still primarily focused on governmental organisations based in Europe and the US,” it added.

Using available intelligence provided in open-source reporting, Insikt Group profiled TAG-53 infrastructure that likely overlaps with Callisto Group, COLDRIVER, and SEABORGIUM infrastructure, Recorded Future said. “TAG-53 infrastructure was uncovered by analyzing specific combinations of domain registrars, autonomous systems, domain name structures, and related TLS certificates. Based on this information, it is highly likely that this threat group is continuing its phishing and credential-harvesting operations,” it added.

While monitoring TAG-53 infrastructure, Insikt Group observed a spoofed Microsoft login page masquerading as a legitimate military weapons and hardware supplier in the US, suggesting that some TAG-53 infrastructure has likely already been operationalized, the report added.

Using current and passive domain name system (DNS) records, Insikt Group resolved IP addresses for 38 registered domains used by TAG-53 since January 2022, the report revealed. The identified TAG-53 domains have highlighted a trend towards the use of NameCheap, Porkbun, REG.RU, and regway for domain registration that has persisted since mid-2022. Furthermore, the reason for the preference of these registrars is unknown, but it is a useful metric when profiling candidate TAG-53 infrastructure.

Of the 38 discovered domains, nine contained references to potential target organizations or organizations that TAG-53 may be attempting to masquerade. “The reason behind the use of these themed domains is not fully understood beyond the likely attempt to emulate real entities in order to appear more legitimate to potential targets and victims,” the report said.

Analysis of the nine domains reveals that seven share a focus around industry verticals that would likely be of interest to Russia-nexus threat groups, especially in light of the war in Ukraine, according to Insikt Group. The two outlier domains are probably intended to masquerade as the Ministry of Internal Affairs of the Russian Federation (MVD).

Insikt Group data also said that alongside the use of specific domain registrars is the use of particular autonomous systems, with all domains collected under TAG-53 found to exist in ten autonomous systems with a significant concentration found located in two Autonomous System Numbers (ASNs) linked to MIRhosting (AS52000) and Hostwinds (AS54290). 

Furthermore, all identified TAG-53 domains were found to host corresponding X.509 TLS certificates provided by Let’s Encrypt. The prevalent use of Let’s Encrypt TLS certificates allows for further correlations between TAG-53 domains and infrastructure, strengthening the clustering of the activity.

Recorded Future disclosed in a September report that eight semiconductor companies have been attacked and extorted by ransomware actors since the start of this year. These attacks included using LockBit, LV ransomware, and Cuba ransomware and were carried out by extortion groups, including the Lapsus$ Group and RansomHouse.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.