{"id":607874,"date":"2023-02-14T07:49:19","date_gmt":"2023-02-14T13:49:19","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/02\/14\/russian-spear-phishing-campaign-escalates-efforts-toward-critical-uk-us-and-european-targets\/"},"modified":"2023-02-14T07:49:19","modified_gmt":"2023-02-14T13:49:19","slug":"russian-spear-phishing-campaign-escalates-efforts-toward-critical-uk-us-and-european-targets","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/02\/14\/russian-spear-phishing-campaign-escalates-efforts-toward-critical-uk-us-and-european-targets\/","title":{"rendered":"Russian spear phishing campaign escalates efforts toward critical UK, US and European targets"},"content":{"rendered":"<div id=\"content-header\">\n<h2>Russian hacking group Seaborgium refines its tactics in a continuation of attacks against targets including not-for-profit organisations with geopolitical affiliations<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\tSimone Bateson<\/li>\n<\/ul>\n<p>\n\tPublished: <span>13 Feb 2023 17:55<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p>Russian state-sponsored hackers have become increasingly sophisticated at launching phishing attacks against critical targets in the UK, US and Europe over the past 12 months.<\/p>\n<p>Threat actors have created fake personas, supported by social media accounts, fake profiles and academic papers, to lure targets into replying to sophisticated phishing emails.<\/p>\n<p>\u201cIt&#8217;s becoming much more elaborate, much more sophisticated, much more complete, because the social engineering has had to be more convincing than it is had to be in the past,\u201d Sherrod DeGrippo, an independent threat intelligence expert told Computer Weekly.<\/p>\n<p>Her comments came after the National Cyber Security Centre (NCSC) released an advisory warning about the continued cyber attacks associated with two groups based in Iran and Russia. The Russian group, identified by several aliases including Seaborgium, <span><a href=\"https:\/\/www.computerweekly.com\/news\/365530673\/Russian-hacking-group-Seaborgium-targets-SNP-MP-Stewart-McDonald\">has recently targeted SNP MP Stewart McDonald<\/a><\/span>.<\/p>\n<p>DeGrippo said Russia and Iran are evolving toward attacks that are more carefully constructed in terms of the social engineering of the personas they create.<\/p>\n<p>The sophistication of impersonation of the attacks by Seaborgium and other Russian hacking groups has escalated in the past 12 to 18 months. Threat actors have created full personas, including social media accounts and profiles.<\/p>\n<p>With each successful attack, the threat actor is able to refine their tactics by generating fake profiles that are more convincing. Threat actors are generating entire websites and portals, to include references to the persona\u2019s name and articles or academic papers. \u00a0<\/p>\n<p>The malicious actor generates fake websites, articles and papers to pose as researchers or journalists. In this way, the techniques used are becoming more elaborate and sophisticated, said DeGrippo.<\/p>\n<p>Academics are a particularly attractive target for the hacking group. DeGrippo said, \u201cIf you&#8217;re a professor at a university, that&#8217;s typically not all you do. You also have some kind of speaking position. You also serve on a board somewhere. In some instances, you may also work at a law firm or work at a hospital.<\/p>\n<p>\u201cMost academics don&#8217;t have a single role. If they specialise in anything international, like international law, atomic sciences, journalism, activism, then all the [threat actors] have to do is compromise that academic in one area.&#8221;<\/p>\n<section data-menu-title=\"Journalists targeted by Russia\">\n<h3><i data-icon=\"1\"><\/i>Journalists targeted by Russia<\/h3>\n<p>Journalists are also considered a high-value targets by Russian threat actors. Sensitive off-record material acquired from sources is of high value to Russian state-sponsored groups. The intelligence gained may also be timely as it will be some of the earliest background information.<\/p>\n<p>\u201cThey [journalists] in many ways have leaks, secrets, sensitive information,\u201d said DeGrippo. The bad actor also has the choice to compromise the account and start sending emails posing as the target, she added: \u201cBecause at that point, you can start asking questions of sources that are a unique interest to cyber espionage intelligence for Russian interests.\u201d<\/p>\n<p>&#8216;The NCSC advisory points out the similarity between the tactics employed by TA453\u00a0and Seaborgium but explains that, according to the NCSC\u2019s own industry reporting, the groups are not working together.<\/p>\n<p>TA453, also known as APT42\/Charming Kitten\/Yellow Garuda\/ITG18, is an Iranian-based hacking group that has been using techniques such as impersonation and reconnaissance to collect sensitive information.<\/p>\n<p>Alexis Dorais-Joncas, senior manager at Proofpoint, which began investigations into Seaborgium &#8211; which is also referred to by the US cyber security company as TA446 &#8211; in early 2021.<\/p>\n<p>Dorais-Joncas said that Proofpoint has seen Seaborgium target the education sector and US federal civilian targets, as well as not-for-profit groups (NGOs) with geopolitical affiliations. The Russian hacking group typically starts its campaigns with benign emails. Only after the group has ascertained if the email is active do they send phishing emails with malicious links intended to harvest credentials.<\/p>\n<p>Dorais-Joncas said the activity by Seaborgium \u201crelies heavily on reconnaissance and impersonation for delivery.\u201d<\/p>\n<p>While the nature of Seaborgium\u2019s attacks may not be unique, the tactics employed by the Russian group have evolved and become more refined.<\/p>\n<\/section>\n<section data-menu-title=\"Whack-a-mole\">\n<h3><i data-icon=\"1\"><\/i>Whack-a-mole<\/h3>\n<p>Dorais-Joncas describes Seaborgium as playing a game of &#8220;whack-a-mole&#8221; whether takedowns are occurring or not: \u201cThe threat actor rapidly registers and changes which personas and aliases they are mimicking in the consumer email addresses and infrastructure they create<span>&#8220;.<\/span><\/p>\n<p>He added: &#8220;Proofpoint analysts have observed various file types attached, delivery chains, and methods of evasion within hours of initial delivery to the end of a campaign.&#8221;<\/p>\n<p>DeGrippo, a former senior director of threat research and detection at Proofpoint, said the traditional tactics, techniques and procedures used by Seaborgium are particularly insidious.<\/p>\n<p>A malicious actor logs in as a benign person and redirects emails to their own infrastructure, \u201cmeaning that person continues to operate their email, not knowing at any point that it has been compromised by a Russian threat actor,\u201d she said.<\/p>\n<p>The Russian actor continues to get copies of the emails the target receives. The bad actor may never leverage the account to send emails from and only use it to make decisions based on intelligence collection.<\/p>\n<p>Cyber security firm Sekoia.io stated that Seaborgium (also referred to as Calisto) contributes to Russian intelligence collection and specifically identified crime-related evidence and\/or international justice procedures. The French group stated that the collection of information of this nature is likely to anticipate and build a counter-narrative on future finger-pointing at Russia.\u00a0<\/p>\n<p>DeGrippo said the methods employed suggest they are state-supported. Attackers go to great lengths to ascertain if the email is operational by sending out initial emails to see if the subject responds: \u201cCrimeware actors don&#8217;t do that; crimeware actors aren&#8217;t operating on behalf of a government entity.\u201d<\/p>\n<p>Dorais-Joncas said the choice of targets has sometimes been timed with events in the Ukrainian war. \u201cNuclear energy-related targeting timed with on-the-ground battles around power plants, or defence sector targeting when the topic of military aid and weapons delivery to Ukraine appeared in the news cycle,\u201d he said.<\/p>\n<p>The release of the NCSC\u2019s advisory may be a reaction to the apparent escalation in the sophistication of Seaborgium\u2019s attacks. Dorais-Joncas argued that the advisory raises \u201cawareness for these specific organisations\u2026at least they know that they are a target of a very advanced threat actor.\u201d<\/p>\n<p>He<span> <\/span>said that \u201cby collaborating with other organisations in the security space, we can produce an effective and holistic method of tracking and curtailing the activity of threat actors such as TA446. Through collaborations of complementary and differing visibility, we are all in better positions to provide the most context and information to targeted users.\u201d<\/p>\n<p>Seaborgium was responsible for the hacking of the Protonmail account owned by <a href=\"https:\/\/www.computerweekly.com\/news\/252525366\/How-Russian-intelligence-hacked-the-encrypted-emails-of-former-MI6-boss-Richard-Dearlove\">Richard Dearlove, the former head of MI6<\/a>.<\/p>\n<p>Dorais-Joncas said that protecting email users should be a top priority for all organisations, in particular those heavily targeted industries with high-levels of email traffic. Focusing on a cyber security strategy based on people, processes, and technology should be a priority. This involves training employees to identify malicious emails and using email security tools to block threats before they reach users\u2019 inboxes.<\/p>\n<p>Threats can be mitigated by putting the right processes in place. \u201cAs with any other attack involving credential phishing, implementing robust multifactor authentication on all possible systems would help mitigate the impact of eventual stolen credentials,\u201d Dorais-Joncas said.<\/p>\n<\/section>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on Hackers and cybercrime prevention<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.computerweekly.com\/news\/365530673\/Russian-hacking-group-Seaborgium-targets-SNP-MP-Stewart-McDonald\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/security-hacker-cyber-crime-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/security-hacker-cyber-crime-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/security-hacker-cyber-crime-adobe.jpg 1280w\" alt ><\/p>\n<h5>Russian hacking group Seaborgium targets SNP MP Stewart McDonald<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Bill-Goodwin-CW-contributor-2022-140x180px.jpg\" alt=\"BillGoodwin\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Bill\u00a0Goodwin<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.computerweekly.com\/news\/252529571\/NCSC-exposes-Iranian-Russian-spear-phishing-campaign-targeting-UK\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/spy-privacy-data-security-fotolia_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/spy-privacy-data-security-fotolia_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/spy-privacy-data-security-fotolia.jpg 1280w\" alt ><\/p>\n<h5>NCSC exposes Iranian, Russian spear-phishing campaign targeting UK<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.computerweekly.com\/news\/252527606\/Red-team-tool-developer-slams-irresponsible-disclosure\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/think-about-security-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/think-about-security-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/think-about-security-adobe.jpg 1280w\" alt ><\/p>\n<h5>Red team tool developer slams \u2018irresponsible\u2019 disclosure<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.computerweekly.com\/news\/252525366\/How-Russian-intelligence-hacked-the-encrypted-emails-of-former-MI6-boss-Richard-Dearlove\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/social-engineering-hacker-fotolia_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/social-engineering-hacker-fotolia_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/social-engineering-hacker-fotolia.jpg 1280w\" alt ><\/p>\n<h5>How Russian intelligence hacked the encrypted emails of former MI6 boss Richard Dearlove<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Duncan-Campbell-2015-140x180px.jpg\" alt=\"DuncanCampbell \">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Duncan\u00a0Campbell <\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/365531158\/Russian-spear-phishing-campaign-escalates-efforts-toward-critical-UK-US-and-European-targets\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Tomi Catt<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Russian hacking group Seaborgium refines its tactics in a continuation of attacks against targets including not-for-profit organisations with geopolitical affiliations By Simone Bateson Published: 13 Feb 2023 17:55 Russian state-sponsored hackers have become increasingly sophisticated at launching phishing attacks against critical targets in the UK, US and Europe over the past 12 months. Threat actors<\/p>\n","protected":false},"author":1,"featured_media":607875,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[776,119151,46],"tags":[],"class_list":{"0":"post-607874","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-russian","8":"category-spear","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/607874","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=607874"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/607874\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/607875"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=607874"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=607874"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=607874"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}