Russian spear phishing campaign escalates efforts toward critical UK, US and European targets

Journalists targeted by Russia

Journalists are also considered a high-value targets by Russian threat actors. Sensitive off-record material acquired from sources is of high value to Russian state-sponsored groups. The intelligence gained may also be timely as it will be some of the earliest background information.

“They [journalists] in many ways have leaks, secrets, sensitive information,” said DeGrippo. The bad actor also has the choice to compromise the account and start sending emails posing as the target, she added: “Because at that point, you can start asking questions of sources that are a unique interest to cyber espionage intelligence for Russian interests.”

‘The NCSC advisory points out the similarity between the tactics employed by TA453 and Seaborgium but explains that, according to the NCSC’s own industry reporting, the groups are not working together.

TA453, also known as APT42/Charming Kitten/Yellow Garuda/ITG18, is an Iranian-based hacking group that has been using techniques such as impersonation and reconnaissance to collect sensitive information.

Alexis Dorais-Joncas, senior manager at Proofpoint, which began investigations into Seaborgium – which is also referred to by the US cyber security company as TA446 – in early 2021.

Dorais-Joncas said that Proofpoint has seen Seaborgium target the education sector and US federal civilian targets, as well as not-for-profit groups (NGOs) with geopolitical affiliations. The Russian hacking group typically starts its campaigns with benign emails. Only after the group has ascertained if the email is active do they send phishing emails with malicious links intended to harvest credentials.

Dorais-Joncas said the activity by Seaborgium “relies heavily on reconnaissance and impersonation for delivery.”

While the nature of Seaborgium’s attacks may not be unique, the tactics employed by the Russian group have evolved and become more refined.

Whack-a-mole

Dorais-Joncas describes Seaborgium as playing a game of “whack-a-mole” whether takedowns are occurring or not: “The threat actor rapidly registers and changes which personas and aliases they are mimicking in the consumer email addresses and infrastructure they create“.

He added: “Proofpoint analysts have observed various file types attached, delivery chains, and methods of evasion within hours of initial delivery to the end of a campaign.”

DeGrippo, a former senior director of threat research and detection at Proofpoint, said the traditional tactics, techniques and procedures used by Seaborgium are particularly insidious.

A malicious actor logs in as a benign person and redirects emails to their own infrastructure, “meaning that person continues to operate their email, not knowing at any point that it has been compromised by a Russian threat actor,” she said.

The Russian actor continues to get copies of the emails the target receives. The bad actor may never leverage the account to send emails from and only use it to make decisions based on intelligence collection.

Cyber security firm Sekoia.io stated that Seaborgium (also referred to as Calisto) contributes to Russian intelligence collection and specifically identified crime-related evidence and/or international justice procedures. The French group stated that the collection of information of this nature is likely to anticipate and build a counter-narrative on future finger-pointing at Russia. 

DeGrippo said the methods employed suggest they are state-supported. Attackers go to great lengths to ascertain if the email is operational by sending out initial emails to see if the subject responds: “Crimeware actors don’t do that; crimeware actors aren’t operating on behalf of a government entity.”

Dorais-Joncas said the choice of targets has sometimes been timed with events in the Ukrainian war. “Nuclear energy-related targeting timed with on-the-ground battles around power plants, or defence sector targeting when the topic of military aid and weapons delivery to Ukraine appeared in the news cycle,” he said.

The release of the NCSC’s advisory may be a reaction to the apparent escalation in the sophistication of Seaborgium’s attacks. Dorais-Joncas argued that the advisory raises “awareness for these specific organisations…at least they know that they are a target of a very advanced threat actor.”

He said that “by collaborating with other organisations in the security space, we can produce an effective and holistic method of tracking and curtailing the activity of threat actors such as TA446. Through collaborations of complementary and differing visibility, we are all in better positions to provide the most context and information to targeted users.”

Seaborgium was responsible for the hacking of the Protonmail account owned by Richard Dearlove, the former head of MI6.

Dorais-Joncas said that protecting email users should be a top priority for all organisations, in particular those heavily targeted industries with high-levels of email traffic. Focusing on a cyber security strategy based on people, processes, and technology should be a priority. This involves training employees to identify malicious emails and using email security tools to block threats before they reach users’ inboxes.

Threats can be mitigated by putting the right processes in place. “As with any other attack involving credential phishing, implementing robust multifactor authentication on all possible systems would help mitigate the impact of eventual stolen credentials,” Dorais-Joncas said.