The UK’s National Cyber Security Centre (NCSC) has issued a warning over the continual cyberattacks perpetrated by Russian and Iranian hacker groups.
Its report says SEABORGIUM (AKA: Callisto Group/TA446/COLDRIVER/TAG-53) and TA453 (AKA: APT42/Charming Kitten/Yellow Garuda/ITG18) are using spear-phishing techniques targeting institutions and individuals with the aim of gathering intel.
Although the two groups do not appear in be in collusion, they are separately attacking the same types of organizations, which last year included those in the defense sector, government bodies, NGOs and academia, as well as individuals such politicians, journalists and activists.
Playing the long game
Spear-phishing is a more refined phishing technique, whereby the threat actors pretend to have information that is of particular interest to their victim, which they have researched using freely available resources, such as social media profiles and professional networking platforms, discovering their interests and identities of people they know.
Both groups have even gone as far as creating fake social media profiles themselves, to impersonate their target’s known contacts, experts within their field and journalists to lure them in, as well as creating fake event invitations.
There is usually unharmful contact at first, as SEABORGIUM and TA453 seek to establish a relationship with their target to gain their trust. The NCSC notes that this can last for an extended period.
Once they have done so, they will then usually deploy a malicious link, in the form of a web address or one embedded within a shared document from platforms such as Microsoft One Drive or Google Drive.
The NCSC even reports that “in one case, [TA453] even set up a Zoom call with the target to share the malicious URL in the chat bar during the call.” The use of multiple fake personas in a single phishing attack have also been reported, in an effort to bolster the façade.
Following these links will usually take the victim to a fake login page controlled by the attackers, and once they enter their credentials, they are stolen by the attackers. With these, the attackers then log into their victims’ email accounts to steal emails, attachments, and also forward incoming emails to their own accounts to continually spy on their victims.
What’s more, they then use the saved contacts in the compromised email account to find yet more victims in follow-on attacks and start the process all over again.
Both SEABORGIUM and TA453 use accounts from common email providers, such as Outlook and Gmail, to create spoofed identities when first approaching their target. They have also created fake domains for seemingly legitimate organizations, and those that are currently know to be linked to SEABORGIUM have been published in a list courtesy of the Microsoft Threat Intelligence Center (MSTIC) (opens in new tab).
Cybersecurity firm Proofpoint have been on the tail of the Iranian TA453 group since 2020, largely echoing the same findings as the NCSC: “[TA453] campaigns may kick off with weeks of benign conversations from actor-created accounts before attempted exploitation.”
They also noted that other targets from the group have included medical researchers, an aerospace engineer, a realtor, and travel agencies. They also issued the following warning:
“Researchers involved in international security, particularly those specializing in Middle Eastern studies or nuclear security, should maintain a heightened sense of awareness when receiving unsolicited emails. For example, experts that are approached by journalists should check the publication’s website to see if the email address belongs to a legitimate reporter.”
