Microsoft warns of Russian 'Seaborgium' phishing, reconnaissance activities
The company says it has blocked a number of accounts used by the threat actors
Microsoft said on Monday that it has taken action to stop phishing activities carried out by Seaborgium, a "very persistent threat actor" whose goals closely resemble those of the Russian state.
Threat researchers have previously referred to Seaborgium as Callisto Group, ColdRiver and TA446. The group focuses primarily on targets in the US and UK, with occasional attacks made against entities in the Baltics, Nordics and Eastern European countries.
Defence and intelligence consultancy firms, non-governmental and intergovernmental organisations, think tanks, institutions of higher learning, experts in Russian issues, and Russian nationals living abroad are some of its main targets.
This specific phishing scheme has been around since 2017, but it has lately reappeared, targeting a number of individuals before it was noticed by Microsoft's Threat Intelligence Center (MTIC).
Microsoft says Seaborgium has been targeting Microsoft's customers via email by impersonating security experts from Microsoft.
Seaborgium actors target the same organisation over an extended period of time. Once successful, they progressively enter the social networks of their targets using persistent impersonation, rapport-building and phishing to deepen their penetration.
Malicious URLs are sent either directly in emails or as attachments, often via impersonating hosting services like Microsoft's OneDrive. Personal and financial information about the victim is stolen using a phishing toolkit called EvilGinx.
Additionally, threat actors impersonate Microsoft's webpage to trick users into providing their login credentials.
According to Microsoft, when the target clicks the malicious URL, they are sent to an actor-controlled server hosting a phishing framework, most often EvilGinx. Microsoft has sometimes seen the attackers trying to evade automated browsing and detonation by fingerprinting browsing behaviour.
"Once the target is redirected to the final page, the framework prompts the target for authentication, mirroring the sign-in page for a legitimate provider and intercepting any credentials," Microsoft explained.
"After credentials are captured, the target is redirected to a website or document to complete the interaction."
Once Seaborgium has gained access to the victim's email account, it attempts to steal intelligence data and, sometimes, approach other potential targets using those stolen accounts to get sensitive information.
Microsoft says the group would sometimes even set up forwarding rules from victim inboxes to allow persistent data collection.
The group has targeted nearly 30 organisations since the start of 2022.
Microsoft did not disclose the number of Seaborgium-linked accounts that it had blocked, but it did mention that the new detection features added to Microsoft Defender SmartScreen assisted in shielding users from the group's phishing domains.
The company advises organisations to use more secure multifactor authentication (MFA) techniques like FIDO tokens or authenticator tools with number matching rather than telephony-based MFA to evade attempts from attackers.
It also recommends mandating MFA for all users from all locations, including trusted ones.
Organisations should also scan their environment for any Seaborgium indicators or compromise and use those to assess potential intruders.