The United Kingdom’s National Cyber Security Center (NCSC) has issued a warning about ongoing cyberattacks perpetrated by Russian and Iranian hacker groups.
Its report says SEABORGIUM (AKA: Callisto Group/TA446/COLDRIVER/TAG-53) and TA453 (AKA: APT42/Charming Kitten/Yellow Garuda/ITG18) are using spear-phishing techniques to target organizations and individuals with the aim of gathering information. .
Although the two groups do not appear to be in collusion, they are separately attacking the same types of organizations, which last year included government agencies, NGOs and those in the defense and education sectors, as well as individuals such as politicians, journalists and activists. .
Play the long game
Spear-phishing is a more subtle phishing tactic, in which the perpetrator pretends to possess information of particular interest to his victim. In the case of SEABORGIUM and TA453, they ensure this by researching freely available resources, such as social media profiles and professional networking platforms, to learn about their target and the identities of people they know.
Both groups have gone so far as to create fake social media profiles, to impersonate known contacts of their target, as well as experts in their field and journalists, all in an effort to woo them.
There is usually harmless communication at first, as SEABORGIUM and TA453 seek to establish a relationship with their target to gain their trust. The NCSC notes that this could go on for a long time.
Once they do, they will usually post a malicious link, vanish in an email message or embedded in a document shared on platforms such as Microsoft One Drive or Google Drive.
The National Civil Service Center reports that “in one case, [TA453] You can even set up a Zoom call with the target to share the malicious URL in the chat bar during the call. It has also been reported that multiple fake characters were used in a single phishing attack, in an attempt to boost the interface.
Following these links usually takes the victim to a fake login page controlled by the attackers, and once their credentials are entered, they are stolen. With these, hackers log into their victims’ email accounts to steal emails, attachments, and also forward incoming emails to their own accounts to spy on them constantly.
Moreover, they then use the contacts saved in the hacked email account to find more victims in follow-up attacks and start the process over.
SEABORGIUM and TA453 both use accounts from popular email service providers, such as Outlook and Gmail, to create phishing identities when first approaching their target. They also create fake domains for seemingly legitimate organizations. Items currently known to be related to SEABORGIUM have been published in a list courtesy of the Microsoft Threat Intelligence Center (MSTIC) (Opens in a new tab).
Cybersecurity firm Proofpoint has been at the tail end of Iran’s TA453 group since 2020, largely echoing the NCSC’s findings: “[TA453] Campaigns might start with weeks of heartwarming conversations from accounts created by actors before the exploit was attempted.”
They also indicated that other targets of the group included medical researchers, an aviation engineer, a real estate broker, and travel agencies. In addition, the company issued the following warning:
Researchers involved with international security, especially those specializing in Middle Eastern studies or nuclear security, should maintain a heightened sense of awareness when receiving unsolicited emails. For example, experts contacted by journalists should check the publication’s website for information. Whether the email address belongs to a legitimate correspondent.”