Microsoft revealed on Monday that it had taken steps to disrupt phishing operations undertaken by a “highly persistent threat actor” whose goals closely align with the interests of the Russian state.
The company tracks the spy-focused business group under its Chemical Elements-themed moniker SEABORGIUMwhich she claims overlaps with a hacking group also known as CallistoCOLDRIVER and TA446.
“SEABORGIUM intrusions have also been linked to hacking and leaking campaigns, where stolen and leaked data is used to shape narratives in targeted countries,” Microsoft threat hunting teams said. said. “Its campaigns involve persistent phishing and credential theft campaigns leading to breaches and data theft.”
Attacks launched by the adversarial collective are known to target the same organizations using consistent methodologies applied over long periods of time, allowing it to infiltrate victims’ social networks through a combination of impersonation, relationships and phishing.
Microsoft said it observed “only slight deviations in their social engineering approaches and how they deliver the initial malicious URL to their targets.”
Primary targets are defense and intelligence consulting firms, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and institutions of higher learning located in the United States and the United Kingdom. United States, and to a lesser extent in the Baltic countries, the Nordic countries, and Eastern Europe.
Other targets of interest are former intelligence officials, experts on Russian affairs and Russian citizens abroad. It is estimated that more than 30 organizations and personal accounts have been the recipients of his campaigns since the start of 2022.
It all starts with a recognition of potential individuals by exploiting fake personas created on social media platforms like LinkedIn, before establishing contact with them via benign emails from newly registered accounts configured to match the names of the impersonated individuals.
In the event that the target falls victim to the social engineering attempt, the threat actor activates the attack sequence by sending an armed message incorporating a booby-trapped PDF document or a link to a file hosted on OneDrive.
“SEABORGIUM is also abusing OneDrive to host PDF files that contain a link to the malicious URL,” Microsoft said. “The actors include a OneDrive link in the body of the email which, when clicked, directs the user to a PDF file hosted in a OneDrive account controlled by SEABORGIUM.”
Additionally, the adversary was found to conceal its operational infrastructure by using seemingly innocuous open redirects to send users to the malicious server, which in turn prompts users to enter their credentials to view the contents.
The final phase of attacks involves abusing stolen credentials to gain access to victim’s email accounts, taking advantage of unauthorized logins to exfiltrate emails and attachments, setting forwarding rules emails to ensure sustained data collection and other follow-up activities.
“There have been several instances where SEABORGIUM have been observed using their impersonation accounts to facilitate dialogue with specific persons of interest and as a result have been included in conversations, sometimes unwittingly. , involving multiple parties,” Redmond pointed out.