Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Threat Landscape
Vulnerabilities

SEABORGIUM APT group targets defense, NGOs, think tanks, higher education in NATO countries, especially in US, UK

August 16, 2022
SEABORGIUM APT group targets defense, NGOs, think tanks, higher education in NATO countries, especially in US, UK

The Microsoft Threat Intelligence Center (MSTIC) disclosed Monday that it has observed and taken actions to disrupt campaigns launched by SEABORGIUM, a hacker group that the software giant has tracked since 2017. Initially from Russia, the group has been identified as a highly persistent threat actor that frequently targets the same organizations over long periods. Once successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion. 

“SEABORGIUM has successfully compromised organizations and people of interest in consistent campaigns for several years, rarely changing methodologies or tactics,” the Microsoft blog post said. “Based on known indicators of compromise and actor tactics, SEABORGIUM overlaps with the threat groups tracked as Callisto Group (F-Secure), TA446 (Proofpoint), and COLDRIVER (Google). Security Service of Ukraine (SSU) has associated Callisto with Gamaredon Group (tracked by Microsoft as ACTINIUM); however, MSTIC has not observed technical intrusion links to support the association,” it added. 

From the start of this year, Microsoft has observed SEABORGIUM campaigns targeting over 30 organizations and personal accounts of people of interest. The group primarily targets NATO countries, particularly the U.S. and the U.K., with occasional targeting of other countries in the Baltics, the Nordics, and Eastern Europe. The targeting has also included the Ukrainian government sector in the months leading up to the invasion by Russia and organizations involved in supporting roles for the war in Ukraine. 

“Despite some targeting of these organizations, Microsoft assesses that Ukraine is likely not a primary focus for this actor; however, it is most likely a reactive focus area for the actor and one of many diverse targets,” the post added.

Within the target countries, Microsoft identified that SEABORGIUM primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. “SEABORGIUM has a high interest in targeting individuals as well, with 30% of Microsoft’s nation-state notifications related to SEABORGIUM activity being delivered to Microsoft consumer email accounts. SEABORGIUM has been observed targeting former intelligence officials, experts in Russian affairs, and Russian citizens abroad. As with any observed nation-state actor activity, Microsoft directly notifies customers of Microsoft services that have been targeted or compromised, providing them with the information they need to secure their accounts,” it added.

Microsoft revealed that before starting a campaign, SEABORGIUM often conducts reconnaissance of target individuals, focusing on identifying legitimate contacts in the targets’ distant social network or sphere of influence. “Based on some of the impersonations and targeting observed, we suspect that the threat actor uses social media platforms, personal directories, and general open-source intelligence (OSINT) to supplement their reconnaissance efforts.” 

MSTIC, in partnership with LinkedIn, has observed fraudulent profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest, the post said. Under their policies, LinkedIn terminated any account identified as conducting inauthentic or fraudulent behavior, it added.

“SEABORGIUM also registers new email accounts at various consumer email providers, with the email address or alias configured to match legitimate aliases or names of impersonated individuals,” MSTIC researchers said in the post. “While the creation of new consumer accounts is common, we have also observed SEABORGIUM returning to and reusing historical accounts that match the industry of the ultimate target. In one case, we observed SEABORGIUM returning to an account it had not used in a year, indicating potential tracking and reusing of accounts if relevant to targets’ verticals,” they added.

After registering new accounts, SEABORGIUM proceeds to establish contact with their target, Microsoft reported. “In cases of personal or consumer targeting, MSTIC has mostly observed the actor starting the conversation with a benign email message, typically exchanging pleasantries before referencing a non-existent attachment while highlighting a topic of interest to the target. It’s likely that this additional step helps the actor establish rapport and avoid suspicion, resulting in further interaction. If the target replies, SEABORGIUM proceeds to send a weaponized email,” it added.

MSTIC has also documented several cases where the actor focuses on a more organizational approach to phishing. In these cases, the actor uses the traditional social engineering approach and typically sends malicious content directly.

Microsoft has identified several variations in how SEABORGIUM delivers a link that directs targets to their credential stealing infrastructure. These include distributing the URL in the body of the email, or a PDF file attachment that contains a URL, or using a OneDrive link with a PDF file that contains a URL.

“Regardless of the method of delivery, when the target clicks the URL, the target is directed to an actor-controlled server hosting a phishing framework, most often EvilGinx,” the Microsoft post said. “On occasion, Microsoft has observed attempts by the actor to evade automated browsing and detonation by fingerprinting browsing behavior. Once the target is redirected to the final page, the framework prompts the target for authentication, mirroring the sign-in page for a legitimate provider and intercepting any credentials. After credentials are captured, the target is redirected to a website or document to complete the interaction,” it added. 

SEABORGIUM has been observed to use stolen credentials and directly sign in to victim email accounts. Based on its experience responding to intrusions from the hacker group on behalf of customers, Microsoft confirms that exfiltration of intelligence data, setup of persistent data collection, and access to people of interest were some common activities detected. “Based on the specific victimology, documents stolen, conversations fostered, and sustained collection observed, we assess that espionage is likely a key motivation of the actor,” the post added.

In April, the Symantec Threat Hunter team revealed that a Chinese state-backed advanced persistent threat (APT) group, Cicada, is attacking organizations around the globe in a likely espionage campaign that has been ongoing for several months. Victims in the Cicada, aka APT10, campaign include government, legal, religious, and NGOs worldwide, including in Europe, Asia, and North America.

The U.S. security agencies released a joint cybersecurity advisory (CSA) last week, providing details of known Zeppelin ransomware indicators of compromise (IOCs). It also covered recently and historically observed tactics, techniques, and procedures (TTPs). Based on investigations carried out by the Federal Bureau of Investigation (FBI) as recently as Jun. 21 this year, the threat vectors are associated with ransomware variants.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness