Microsoft puts an end to a phishing campaign by the Russian group Seaborgium

Microsoft raises the tone against the pirates of the Seaborgium group. The Redmond firm claims to have terminated the activities of this organization from Russia which it has been monitoring since 2017. All accounts used by the group have been deactivated, while Microsoft Defender SmartScreen has been updated to detect its domains. According to Microsoft, the hackers acted mainly through phishing campaigns and credential theft in order to get their hands on confidential data.

A fake profile spotted by Microsoft.

More than 30 organizations have been targeted since the beginning of the year (NGOs, defense and intelligence consulting companies, etc.), but also expatriate Russian citizens or business experts linked to the country. The LinkedIn professional network was often used to get in touch with victims.

Seaborgium has a technique of creating fake accounts using pseudonyms and names of collaborators of its target. The practice helps to build trust in the targeted person, and the hackers then initiate a conversation with the aim of encouraging them to click on a URL leading to a phishing site.

Example of fraudulent email sent to victims.

The techniques for tricking the victim are diverse: hackers can encourage them to click on an “interesting link”, but also pass off a PDF to be downloaded as required reading requested by a superior. The infected link can be integrated directly into the body of an email, or in a fake attachment hosted on OneDrive.

Mail showing fake OneDrive file sharing. The download link actually redirects to a phishing site.

Obviously, the sites run by the hackers imitate a legitimate domain and prompt to enter its credentials. Once this information has been recovered, Microsoft explains that the bandits mainly engaged in theft of e-mails to obtain confidential data. They were also able to use it to approach other victims via the stolen accounts.


Leave a Comment