Microsoft's Threat Intelligence Center (MSTIC) has taken steps to disrupt the operations of "Seaborgium," a Russia-based threat actor that has been involved in persistent spear-phishing and credential-theft campaigns aimed at organizations and individuals in NATO countries since at least 2017.
The threat actor's primary motivation appears to be cyber espionage. Its victims include numerous organizations in the defense and intelligence communities, nongovernmental organizations, think tanks, higher-education institutions, and intergovernmental organizations, mainly in the US and UK. Microsoft said it has identified some 30 organizations that have been targeted in Seaborgium campaigns so far this year alone.
"Seaborgium has a high interest in targeting individuals as well, with 30% of Microsoft’s nation-state notifications related to Seaborgium activity being delivered to Microsoft consumer email accounts," Microsoft said in a blog post this week. Targeted individuals have included former intelligence officials, Russian experts, and Russian citizens outside the country that are of interest to Moscow. Available telemetry and tactics suggest overlaps between Seaborgium and threat groups that others are variously tracking as the Callisto Group, ColdRiver, and TA446, Microsoft said.
Seaborgium is just one of multiple Russia-based groups that are targeting US firms in cyber-espionage campaigns currently. Earlier this year, the US Cybersecurity and Infrastructure Security Agency (CISA) warned about Russian actors systematically stealing sensitive, but not classified, data on US weapons development and technologies used by the US military and government. The warning followed one from January about the potential for more Russian attacks on US targets in retaliation for US-led sanctions over the war in Ukraine.
In its blog post, Microsoft described Seaborgium actors as using mostly the same social-engineering tactics over the years to try and gain an initial foothold in a target organization. Before launching a campaign, the threat actor has typically tended to conduct extensive research on targeted individuals to identify their social and business contacts. The research has often involved the threat actor using social media platforms — including fraudulent profiles on LinkedIn — and publicly available information gather intel on individuals of interest.
They then have used the information to impersonate individuals known to the target and contacted them using new email accounts with email addresses or aliases configured to match the names or aliases of the impersonated individuals, Microsoft said. The tone of the initial contact is usually different depending on whether an individual is a personal/consumer target or someone working in a targeted organization. In the case of the former, Seaborgium actors have typically started with a benign email that exchanges pleasantries on topics of interest to the target and references a nonexistent attachment. Microsoft surmised that the goal of taking this approach is likely to establish a rapport with a target. If the phishing email recipient replies, the threat actor responds with an email containing a link to their credential-stealing infrastructure.
Seaborgium's phishing emails have a more businesslike and organizational tone to them for individuals within a target organization. In these situations, the threat actors have shown a tendency to take a more authoritative approach in directing email recipients to the credential-stealing site — for example, by taking cybersecurity-themed lures. In most campaigns, Seaborgium actors have embedded the URL to their credential-stealing site directly in the email body itself, Microsoft said. But of late, the threat actor has also been using PDF files and attachments spoofing a document or file-hosting service — often OneDrive — to distribute the link.
Using Stolen Credentials to Steal Emails and Attachments
Microsoft said its researchers have observed Seaborgium using stolen credentials to directly log in to victims' email accounts and steal their emails and attachments. In a few instances, the threat actor has also been observed configuring victim email accounts to forward emails to attacker-controlled addresses.
"There have been several cases where Seaborgium has been observed using their impersonation accounts to facilitate dialogue with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties," Microsoft said, adding that often these conversations have involved potentially sensitive information.
As far as the disruption goes, the computing giant has now disabled accounts that Seaborgium actors have been using for victim reconnaissance, phishing, and other malicious activities. This includes multiple LinkedIn accounts. It has also developed detections for phishing domains associated with Seaborgium.
F-Secure, which refers to the threat actor as the Callisto Group, has been tracking its activities since 2015. In a 2017 report, the security vendor had described Callisto Group as a sophisticated actor targeting governments, journalists, and think tanks in the EU and parts of eastern Europe. F-Secure had described the group's campaigns as involving highly convincing spear-phishing emails often sent from legitimate email accounts to which the threat actor had previously gained access, using stolen credentials.
More recently, Google warned about the threat actor in a broader update on malicious cyber activity in eastern Europe since the start of the Ukraine war in February. The company said it had observed ColdRiver — its name for Seaborgium — continuing to use Gmail accounts to send credential-phishing emails to Google and non-Google email accounts belonging to politicians, defense and government officials, journalists, and think tanks. "The group's tactics, techniques and procedures (TTPs) for these campaigns have shifted slightly from including phishing links directly in the email, to also linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive," Google said. The files have contained a link to a credential-phishing domain, according to Google.