This article is more than 1 year old
UK Cyber Security Centre's scary new story: One phish, two phish, Russia phish, Iran phish
Nice people on LinkedIn want to harvest logins from politicians, boffins, and defense types
The UK's National Cyber Security Centre (NCSC) has warned of two similar spear-phishing campaigns, one originating from Russia, the other from Iran.
The NCSC has attributed the campaigns to a Russia-based group called SEABORGIUM and the Iran-based TA453 group, also known as APT42. The threat groups target individuals working in academia, defence, government, non-government organisations, and think-tanks. Politicians, journalists and activists are also a target in an attempt to gather sensitive information.
“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems,” warned NCSC director of operations Paul Chichester.
- Reckon Russian spies are lurking in your inbox? Check for these IOCs, Microsoft says
- Mandiant links APT42 to Iranian 'terrorist org'
- Iran-linked Charming Kitten espionage gang bares claws to pollies, power orgs
- Iranian cyberspies exploited Log4j to break into a US govt network
The groups typically groom targets with emails or on platforms like LinkedIn, where the attackers create personalities with plausible back stories. Once trust is established, the victim is often lured into clicking on malicious links. In the past, those links have included false invitations to conferences, or URLs to all the fun and glamour of a Zoom meeting.
The target could then be led to a server controlled by the threat group that prompts the input of credentials. SEABORIUM in particular has been known to set up email forwarding to monitor future activity of the victim, even after they have reset their credentials.
The NCSC hence recommends disabling mail-forwarding as one spear-phishing mitigation tactic. The usual mitigation tactics are also recommended: strong passwords used only for email accounts, MFA, enabling built-in email scanning features, and ongoing vigilance.
Google cybersecurity subsidiary Mandiant and email security vendor Proofpoint have both linked TA453 to the Islamic Revolutionary Guard Corps.
Microsoft has characterized SEABORGIUM as having goals that align with Russian state interests. ®