Seaborgium targets sensitive industries in several countries

cyber spying, digital payment protection, software virus protection for mobile data and digital global connections, hacker with a tablet on the background of binary code, Element of the image provided by NASA
Image: Adobe Stock

New research from Microsoft Threat Intelligence Center (MSTIC) sheds light on a cyberespionage threat actor known as Seaborgium.

Who is Seaborgium?

Seaborgium is a threat actor that originates from Russia, tracked by Microsoft since 2017. This is a highly persistent threat actor who compromises companies and individuals of interest. In 2022, they have targeted over 30 organizations in addition to personal accounts of individuals. Based on technical information and tactics, the threat actor overlaps with Callisto Group, TA446 and ColdRiver. The Security Service of Ukraine associated the threat actor with the Gamaredon group, however Microsoft’s researchers have not observed any link to support this association.

Targets for Seaborgium

The primary target of this threat actor is currently NATO countries, particularly the U.K. and the U.S. Occasional targeting of other countries has also occurred, including countries in the Baltics, the Nordics and Eastern Europe. Of particular interest is the targeting of Ukraine in the months prior to the invasion by Russia, and organizations playing a role in the war in Ukraine. Microsoft states that Ukraine is likely not a primary target for Seaborgium, and that attacks aimed at this country are probably a reactive focus area for the actor.

Seaborgium’s targets are defense and intelligence consulting companies, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), think tanks and higher education, according to Microsoft. In addition, 30% of Seaborgium’s activity targets Microsoft consumer email accounts, former intelligence officials, experts in Russian affairs and Russian citizens abroad.

SEE: Mobile device security policy (TechRepublic Premium)

Modus operandi

Researchers from MSTIC observed consistent methodology with only slight modifications in the social engineering approach that Seaborgium uses.

For starters, the threat actor works at knowing its target—it is the reconnaissance phase of the attack. The goal is to identify legitimate contacts in the target’s distant social network or sphere of influence. The attacker seems to use open-source intelligence (OSINT), personal directories and social media platforms to achieve that task. MSTIC reveals, in partnership with LinkedIn, that the threat actor has created fake LinkedIn profiles to conduct reconnaissance of employees from specific organizations of interest (Figure A).

Figure A

Fake LinkedIn profile created by Seaborgium threat actor.
Fake LinkedIn profile created by Seaborgium threat actor. Image: Microsoft

The identified accounts created by the threat actor have been terminated by LinkedIn.

Seaborgium also creates new email addresses at various email providers, setting it to match legitimate aliases or names of impersonated individuals. On one occasion, the researchers have seen the threat actor reuse an account that had not been used in a year, to target a matching industry. This indicates a well-organized threat actor, probably tracking and reusing accounts when relevant.

Once all this configuration is done, the threat actor reaches the target with a benign email message referencing a non-existing attachment which should have contained a topic of interest for the target (Figure B).

Figure B

Sample emails sent from Seaborgium to targets.
Sample emails sent from Seaborgium to targets. Image: Microsoft

In other cases, the actor adopts another approach—more direct—and sends malicious content (Figure C).

Figure C

Sample email containing malicious content sent to a target.
Sample email containing malicious content sent to a target. Image: Microsoft

As for the malicious content, it can be as simple as a URL leading to a phishing page, sometimes obfuscated using URL shorteners, or it can be an attached PDF file containing a URL leading to a phishing page. Finally, the attacker might also use PDF files hosted on OneDrive, once again containing a link to a phishing page.

The landing phishing page is hosted on an attacker-controlled server hosting a phishing framework, most often Evilginx. That framework prompts the target for authentication, mirroring the sign-in page for a legitimate provider, allowing the attacker to grab the target’s credentials. Once those credentials are captured, the user is redirected to a website or document to complete the interaction.

Seaborgium does use these credentials to exfiltrate the target’s emails and file attachments directly from their mailbox. In a few cases, the attacker has set up forwarding rules to an actor-controlled email address. Amongst the emails of interest for the attacker are mailing-list data from private and sensitive groups, such as those used by former intelligence officials.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

More than cyberespionage

While Seaborgium’s main goal is cyberespionage, the group has sporadically been involved in information operations, according to Microsoft.

In May 2021, MSTIC observed the threat actor shared documents stolen from a political organization in the U.K. The documents were uploaded to a public PDF file-sharing website, while the threat actor amplified the documents via their social media accounts. Yet further amplification was minimal.

One year later, an information operation was attributed by Google’s Threat Analysis Group (TAG) to ColdRiver/SeaBorgium, as confirmed by Microsoft. The threat actor leaked emails and documents from 2018 to 2022, which were allegedly stolen from email accounts belonging to high-level proponents of Brexit.

How to protect from this threat?

Typical operations from this threat actor hardly vary through time and are very focused on emails. Therefore, email filtering should be set, and email security solutions should be deployed.

Filtering solutions should also be enabled directly in the browser to avoid accessing a known phishing page.

Multi-factor authentication (MFA) should also be employed, if possible, not relying on telephony, as attackers might be able to bypass it. It should rather use more secure implementations such as FIDO tokens or authenticator applications.

Users should also carefully check emails they receive and check if they come from the usual email address of their contact. Should it come from a new one, they should reach the contact via another way, like a phone call, to check whether it really came from their contact.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Source link

istanbul escort aksaray escort arnavutköy escort ataköy escort avcılar escort avcılar türbanlı escort avrupa yakası escort bağcılar escort bahçelievler escort bahçeşehir escort bakırköy escort başakşehir escort bayrampaşa escort beşiktaş escort beykent escort beylikdüzü escort beylikdüzü türbanlı escort beyoğlu escort büyükçekmece escort cevizlibağ escort çapa escort çatalca escort esenler escort esenyurt escort esenyurt türbanlı escort etiler escort eyüp escort fatih escort fındıkzade escort florya escort gaziosmanpaşa escort güneşli escort güngören escort halkalı escort ikitelli escort istanbul escort kağıthane escort kayaşehir escort küçükçekmece escort mecidiyeköy escort merter escort nişantaşı escort sarıyer escort sefaköy escort silivri escort sultangazi escort suriyeli escort şirinevler escort şişli escort taksim escort topkapı escort yenibosna escort zeytinburnu escort porno 1080p porno izle 4k porno izle 720p porno izle abella danger alman alman porno alman porno izle aloha tube porno amatör amatör porno amatör porno izle anal anal porno anal porno izle arap porno asa akira porno asyalı porno bangbros porno bangbros porno izle banyoda sikis başörtülü porno beeg porno izle beyaz tenli porno izle biseksuel porno izle bisexsuel porno brandi love porno brazzers brazzers porno izle canli porno canli porno izle çinli porno çinli porno izle ensest porno ensest porno izle ensest seks erotik porno erotik porno izle esmer porno esmer porno izle etek altı fake agent fake taxi fake taxi porno fantazi pornoları fantezi porno izle fetiş porno fetiş porno izle fetish fransız porno fransız porno izle full hd hg porno izle gangbang porno genç kız porno izle genç kız sikişi genç teen porno izle gizli çekim porno gizli çekim pornosu grup pornosu grup porno grup porno izle hd pornolar hd porno hd porno izle hemşire porno hemşire pornosu hizmetçi porno hizmetçi porno izle ingiliz porno japon pornoları japon porno kızlık bozma kızlık bozma porno izle konulu porno konulu porno izle koreli porno köylü pornoları kumral porno kumral porno izle latin pornoları latin porno latin porno izle lezbiyen pornoları lezbiyen porno lezbiyen porno izle lisa ann porno liseli pornoları liseli porno liseli porno izle manken porno manken porno izle masaj porno izle masturbasyon porno izle masturbasyon pornoları mature porno mia khalifa porno mia malkova porno milf porno izle mobil porno mobil porno izle öğrenci porno izle öğretmen porno izle okul porno izle olgun kadın pornosu olgun porno oral porno oral porno izle oral seks porna izle pornhub pornhub porno izle porno film izle porno indir porno izle porno resimler porno star porntube porno izle redtube redtube pornoları riley reid porno rokettube rus pornoları rus porno rus porno izle sakso blowjob porno izle sarışın pornoları sarışın porno sarışın porno izle sarışın pornoları sekreter porno shemale sikiş sikiş sikiş izle şişman porno siyahi pornoları suriyeli pornoları swinger porno tecavüz porno teen porn türbanlı pornoları türbanlı porno türk pornoları türk porno türk porno izle türkçe altyazılı porno türkçe altyazılı porno izle xhamster pornoları xhamster porno xhamster porno izle xnxx xnxx porno xnxx porno izle xvideos xvideos porno izle yaşlı porno yeşilçam porno izle youjizz youporn youporn porno izle zenci porno güvenilir bahis siteleri bahis siteleri casino deneme bonusu casino siteleri deneme bonusu para yatırma bonusu bahis siteleri casino siteleribahis sitesi para yatırma