Russian spear phishing campaign escalates efforts toward critical UK, US and European targets

Russian state sponsored hackers have become increasing sophisticated at launching phishing attacks against critical targets in the UK, US and Europe over the past 12 months.

Threat actors have created fake personas, supported by social media accounts, fake profiles and academic papers, to lure targets into replying to sophisticated phishing emails.

“It’s becoming much more elaborate, much more sophisticated, much more complete, because the social engineering has had to be more convincing than it is had to be in the past,” Sherrod DeGrippo, an independent Threat Intelligence Expert told Computer Weekly.

Her comments came after the National Cyber Security Centre (NCSC) released an advisory warning about the continued cyber-attacks associated with two groups based in Iran and Russia. The Russian group, identified by several aliases including Seaborgium, has recently targeted SNP MP Stewart McDonald.

DeGrippo explained that Russia and Iran are evolving toward attacks that are more carefully constructed in terms of the social engineering of the personas they create.

The sophistication of impersonation of the attacks by Seaborgium, and other Russian hacking groups, has escalated in the past 12 to 18 months. Threat actors have created full personas, including social media accounts and profiles.

With each successful attack, the threat actor is able to refine their tactics by generating fake profiles that are more convincing. Threat actors are generating entire websites and portals in order to include references to the persona’s name and articles or academic papers.  

The malicious actor generates fake websites, articles and papers to pose as a researchers or a journalists. In this way, the techniques used are becoming more elaborate and sophisticated, said DeGrippo.

 “When we talk about the evolution, it’s becoming much more elaborate, much more sophisticated, much more complete, because the social engineering has had to be more convincing than it is had to be in the past,” said DeGrippo.

Academics are a particularly attractive target for the hacking group. Professors at Universities, for instance, do not only lecture. They typically have a speaking position or serve on a board. They might even work at a law first of work at a hospital.

DeGrippo said “if you’re a professor at a university, that’s typically not all you do. You also have some kind of speaking position. You also serve on a board somewhere. In some instances, you may also work at a law firm or work at a hospital.”

“You know, most academics don’t have a single role…if they specialize in anything international, like international law, atomic sciences, journalism activism, if that academic specializes in those fields, then all they have to do is compromise that academic in one area,” she added.

Journalists targeted by Russia

Journalists are also considered a high value targets by Russian threat actors such as  . Sensitive off-record material acquired from sources is of high value bad to Russian state sponsored groups. The intelligence gained may also be timely as it will be some of the earliest background information.

“They (journalists) essentially in many ways have leaks, secrets, sensitive information,” she says. The bad actor also has the choice to compromise the account and start sending emails posing as the target: “because at that point, you can start asking questions of sources that are a unique interest to cyber espionage intelligence for Russian interests.”

The NCSC advisory points the similarity between  and Seaborgium but explains that, according to the NCSC’s own industry reporting, the groups are not working together.

TA453, a.k.a. APT42/Charming Kitten/Yellow Garuda/ITG18, is the Iranian-based hacking group that has been using techniques such as impersonation and reconnaissance to collect sensitive information.

Alexis Dorais-Joncas, Senior Manager for Proofpoint, which began investigations into Seaborgium – referred to by the U.S. cybersecurity company as TA446 – in early 2021.

Dorais-Joncas said that Proofpoint has seen Seaborgium target those in the education sector and US federal civilian targets, as well as not-for-profits with NGO geopolitical affiliations. The Russian hacking group typically starts their campaigns with benign emails. Only after the group have ascertained if the email is active do they send phishing emails with malicious links intended to harvest credentials.

He explained that the activity by Seaborgium “relies heavily on reconnaissance and impersonation for delivery.”

While the nature of Seaborgium’s attacks may not be unique, the tactics employed by the Russian group have evolved and become more refined.

Whack-a-mole

Dorias-Joncas describes Seaborgium as playing a game of whack-a-mole whether takedowns are occurring or not. “The threat actor rapidly registers and changes which personas and aliases they are mimicking in the consumer email addresses and infrastructure they create 

He said that ‘Proofpoint analysts have observed various file types attached, delivery chains, and methods of evasion within hours of initial delivery to the end of a campaign.’

DeGrippo, a former Sr. Director of Threat Research and Detection at Proofpoint, said that the traditional tactics, techniques and procedures (TTPs) used by Seaborgium are particularly insidious.

The malicious actor logs in as a benign person and redirects the emails to their own infrastructure “meaning that person continues to operate their email, knowing, not knowing at any point that it has been compromised by a Russian threat actor” she said.

The Russian direct threat actor continues to get copies of the emails the target receives. The bad actor may never leverage the account to send emails from and only use it to make decisions based on intelligence collection.

 Sequoia.oi stated that Seaborgium (referred to as Calisto) contributes to Russian intelligence collection; specifically identified crime-related evidence and/or international justice procedures. The French group stated that the collection of information of this nature is likely to anticipate and build a counter-narrative on future finger pointing at Russia. 

DeGrippo said that the methods employed suggest they are state-supported. Attackers go to great lengths to ascertain if the email is operational by sending out initial emails to see if the subject responds: “crimeware actors don’t do that, crimeware actors that aren’t operating on behalf of a government entity.”

Dorais-Joncas said that the choice of targets has sometimes be timed with events in the Ukrainian war. “Nuclear energy-related targeting timed with on-the-ground battles around power plants, or defense sector-targeting when the topic of military aid and weapons delivery to Ukraine appeared in the news cycle,” he said.

The release of the NCSC’s advisory may be as a reaction to the apparent escalation in the sophistication of Seaborgium’s attacks. Dorias-Joncas argued that the advisory raises “awareness for these specific organizations…at least they know that they are a target of a very advanced threat actor.”

He that “by collaborating with other organisations in the security space, we can produce an effective and holistic method of tracking and curtailing the activity of threat actors such as TA446. Through collaborations of complementary and differing visibility, we are all in better positions to provide the most context and information to targeted users.”

The Russian group Seaborgium (a.k.a. Callisto Group/TA446/COLDRIVER/TAG-53) was responsible for the hacking of the Protonmail account owned by Richard Dearlove, the former head of the M16.

Dorias-Joncas said that protecting email users should be a top priority for all organisations, in particular those heavily targeted industries with high-levels of email traffic. Focusing on a cybersecurity strategy based on people, processes, and technology should be a priority. This involves training employees to identify malicious emails and using email security tools to block threats before they reach users’ inboxes.

Threats can be mitigated by putting the right processes in place. “As with any other attack involving credential phishing, implementing robust Multi-Factor Authentication (MFA) on all possible systems would help mitigate the impact of eventual stolen credentials.” Dorias-Joncas said.

Leave a Reply

Your email address will not be published. Required fields are marked *