Reckon Russian spies are lurking in your inbox? Check for these IOCs, Microsoft says
Seaborgium targeted dozens of orgs this year alone
Microsoft said it disabled accounts used by Russian-linked Seaborgium troupe to phish and steal credentials from its customers as part of the cybercrime gang's illicit spying and data-stealing activities.
This included using email, OneDrive and other Microsoft cloud services accounts, as well as phony LinkedIn profiles that the criminals used to scope out employees who work for target organizations.
The gang of miscreants is tracked by several other names by other threat intel firms. This includes TA446 by Proofpoint, Coldriver by Google, which has previously warned about the crooks using Gmail accounts for their phishing expeditions, and Callisto Group [PDF] by WithSecure (formerly F-Secure).
In May, Google and Reuters attributed a hack-and-leak campaign to Coldriver, aka Seaborgium, in which the criminals leaked emails and documents reportedly stolen from high-level Brexit proponents, including former British spymaster Richard Dearlove. These documents were then spread on social media to amplify a false narrative that Brexit proponents were planning a coup.
"I am well aware of a Russian operation against a Proton account which contained emails to and from me," Dearlove told Reuters at the time, referring to the privacy-focused email service ProtonMail.
The gang likes to target the same organizations over an extended period of time, primarily those in NATO countries, especially the US and UK). And, for the most part, it focuses on defense and intelligence consulting companies, non-governmental and intergovernmental organizations, think tanks and higher education.
30+ orgs targeted this year
Since the beginning of the year, Redmond said it noted Seaborgium campaigns targeting more than 30 organizations, as well as personal email accounts belonging to former intelligence officials, Russian experts, and Russian citizens abroad. In fact, 30 percent of the software giant's nation-state notifications related to Seaborgium activity have been delivered to customers' personal email accounts, according to the Microsoft Threat Intelligence Center (MSTIC).
"While we cannot rule out that supporting elements of the group may have current or prior affiliations with criminal or other non-state ecosystems, MSTIC assesses that information collected during Seaborgium intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations," the security alert noted.
- Google: Russian credential thieves target NATO, Eastern European military
- Microsoft trumps Google for 2021-22 bug bounty payouts
- Cloudflare: Someone tried to pull the Twilio phishing tactic on us too
- Cisco admits corporate network compromised by gang with links to Lapsus$
The criminals play a long game, and they've been using the same tactics for "several years," according to the warning. Seaborgium "slowly infiltrates targeted organizations' social networks through constant impersonation, rapport building, and phishing to deepen their intrusion," it added.
While Redmond didn't specify the number of Seaborgium-linked accounts it disabled, the threat hunting team noted new detection capabilities added to Microsoft Defender SmartScreen to protect customers from the group's phishing domains.
It also provided a fairly detailed analysis of the group's operational tactics and campaign examples, as well as a long list of indicators of compromise (ICOs) and recommended actions for IT folks.
Let's be friends
Before it begins the actual cyberespionage or data exfiltration attack, Seaborgium uses social engineering tactics to build rapport with individuals in the same industries or social circles of the target company's employees. In addition to using fake LinkedIn profiles for this type of reconnaissance activity, the gang likely uses other social media platforms, personal directories and general open-source intelligence, according to Microsoft.
The criminals make contact with their targets via email, and for this they register new accounts with different consumer email providers, and they use email addresses or alias designed to look like a legitimate person.
"In cases of personal or consumer targeting, MSTIC has mostly observed the actor starting the conversation with a benign email message, typically exchanging pleasantries before referencing a non-existent attachment while highlighting a topic of interest to the target," the security alert said.
This initial email probably helps to avoid suspicion, and if the target replies it also opens an opportunity for Seaborgium to send a weaponized email — such as a link to a malicious URL, or a OneDrive file attachment that includes a link to a Seaborgium-controlled site that the crooks use to harvest user credentials.
Criminals use the stolen credentials to sign in to victims' email accounts, and from there they can read emails, exfiltrate attachments, set up forwarding rules from victims' inboxes to Seaborgium-controlled accounts, and even use these legitimate email accounts to impersonate victims and trick other high-profile targets into disclosing sensitive information in messages.
"Based on the specific victimology, documents stolen, conversations fostered, and sustained collection observed, we assess that espionage is likely a key motivation of the actor," Redmond noted.
How to protect against Seaborgium
The good news is that there are several measures that can be taken to mitigate Seaborgium's techniques, according to Microsoft. This includes setting Office 365 email setting to block spoofed emails, spam and emails with malware, and disabling email auto-forwarding.
The security team also recommends requiring multi-factor authentication (MFA) for all users from all locations — even trusted ones — and using more secure MFA methods like FIDO tokens or authenticator tools with number matching, as opposed to telephony-based MFA.
Additionally, organizations should check their environment for any Seaborgium indicators of compromise (there's a long list included in the analysis) and use those to assess potential intruders. ®