The Microsoft Threat Intelligence Center (MSTIC) has disrupted a social engineering operation associated with a Russian threat actor, SEABORGIUM.
The SEABORGIUM group (also tracked as TA446 by Proofpoint and ColdRiver by Google) has been targeting NATO countries, including the attack campaigns in the Nordics, Baltics, and Ukraine.
The hacking group tries to steal sensitive emails from NATO organizations and people of interest to Russia.
SEABORGIUM has infiltrated nearly 30 organizations since the start of this year.
It has been harvesting data from former intelligence officials, Russian citizens abroad, and experts in Russian affairs.
In a recent attack, it stole sensitive documents from a U.K political entity.
Its range of targets
Besides NATO organizations, its key targets include defense and threat intelligence consulting firms, NGOs, Intergovernmental Organizations (IGOs), higher education institutions, and think tanks.
The threat group first creates an online persona using social media, email, and LinkedIn accounts to use in social engineering campaigns.
Subsequently, the attackers make contact with individuals of interest to start a conversation and build some trust, and eventually, they end up sending a phishing email with an attachment.
They send emails with PDF attachments, links to the OneDrive account hosting the PDF documents, or file hosting services.
Attachments display a message to the victim that states that the document could not be viewed and that they should click on a button to make another attempt.
Clicking on the button leads the victim to a landing page running phishing frameworks, EvilGinx (acts as a proxy), to display a login form for a particular service.
The threat group steals the entered credentials and authentication cookies or tokens generated after the user login. These stolen tokens allow the threat group to log in even if 2FA is enabled.
Microsoft claimed that it has disabled the accounts used by the adversary group for surveillance, phishing, and email collection. Moreover, it has shared 69 domains that were supposedly related to phishing campaigns stealing credentials for Microsoft, ProtonMail, and Yandex accounts.
Microsoft has claimed to successfully disrupt SEABORGIUM's campaigns by disabling accounts. Moreover, the tech firm suggests disabling email auto-forwarding in 365, using the IOCs to identify compromise, applying MFA on all accounts, and using FIDO security keys for added protection.