cyber spying, digital payment protection, software virus protection for mobile data and digital global connections, hacker with a tablet on the background of binary code, Element of the image provided by NASA
Image: Adobe Stock

New research from Microsoft Threat Intelligence Center (MSTIC) sheds light on a cyberespionage threat actor known as Seaborgium.

Who is Seaborgium?

Seaborgium is a threat actor that originates from Russia, tracked by Microsoft since 2017. This is a highly persistent threat actor who compromises companies and individuals of interest. In 2022, they have targeted over 30 organizations in addition to personal accounts of individuals. Based on technical information and tactics, the threat actor overlaps with Callisto Group, TA446 and ColdRiver. The Security Service of Ukraine associated the threat actor with the Gamaredon group, however Microsoft’s researchers have not observed any link to support this association.

Targets for Seaborgium

The primary target of this threat actor is currently NATO countries, particularly the U.K. and the U.S. Occasional targeting of other countries has also occurred, including countries in the Baltics, the Nordics and Eastern Europe. Of particular interest is the targeting of Ukraine in the months prior to the invasion by Russia, and organizations playing a role in the war in Ukraine. Microsoft states that Ukraine is likely not a primary target for Seaborgium, and that attacks aimed at this country are probably a reactive focus area for the actor.

Seaborgium’s targets are defense and intelligence consulting companies, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), think tanks and higher education, according to Microsoft. In addition, 30% of Seaborgium’s activity targets Microsoft consumer email accounts, former intelligence officials, experts in Russian affairs and Russian citizens abroad.

SEE: Mobile device security policy (TechRepublic Premium)

Modus operandi

Researchers from MSTIC observed consistent methodology with only slight modifications in the social engineering approach that Seaborgium uses.

For starters, the threat actor works at knowing its target—it is the reconnaissance phase of the attack. The goal is to identify legitimate contacts in the target’s distant social network or sphere of influence. The attacker seems to use open-source intelligence (OSINT), personal directories and social media platforms to achieve that task. MSTIC reveals, in partnership with LinkedIn, that the threat actor has created fake LinkedIn profiles to conduct reconnaissance of employees from specific organizations of interest (Figure A).

Figure A

Fake LinkedIn profile created by Seaborgium threat actor.
Fake LinkedIn profile created by Seaborgium threat actor. Image: Microsoft

The identified accounts created by the threat actor have been terminated by LinkedIn.

Seaborgium also creates new email addresses at various email providers, setting it to match legitimate aliases or names of impersonated individuals. On one occasion, the researchers have seen the threat actor reuse an account that had not been used in a year, to target a matching industry. This indicates a well-organized threat actor, probably tracking and reusing accounts when relevant.

Once all this configuration is done, the threat actor reaches the target with a benign email message referencing a non-existing attachment which should have contained a topic of interest for the target (Figure B).

Figure B

Sample emails sent from Seaborgium to targets.
Sample emails sent from Seaborgium to targets. Image: Microsoft

In other cases, the actor adopts another approach—more direct—and sends malicious content (Figure C).

Figure C

Sample email containing malicious content sent to a target.
Sample email containing malicious content sent to a target. Image: Microsoft

As for the malicious content, it can be as simple as a URL leading to a phishing page, sometimes obfuscated using URL shorteners, or it can be an attached PDF file containing a URL leading to a phishing page. Finally, the attacker might also use PDF files hosted on OneDrive, once again containing a link to a phishing page.

The landing phishing page is hosted on an attacker-controlled server hosting a phishing framework, most often Evilginx. That framework prompts the target for authentication, mirroring the sign-in page for a legitimate provider, allowing the attacker to grab the target’s credentials. Once those credentials are captured, the user is redirected to a website or document to complete the interaction.

Seaborgium does use these credentials to exfiltrate the target’s emails and file attachments directly from their mailbox. In a few cases, the attacker has set up forwarding rules to an actor-controlled email address. Amongst the emails of interest for the attacker are mailing-list data from private and sensitive groups, such as those used by former intelligence officials.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

More than cyberespionage

While Seaborgium’s main goal is cyberespionage, the group has sporadically been involved in information operations, according to Microsoft.

In May 2021, MSTIC observed the threat actor shared documents stolen from a political organization in the U.K. The documents were uploaded to a public PDF file-sharing website, while the threat actor amplified the documents via their social media accounts. Yet further amplification was minimal.

One year later, an information operation was attributed by Google’s Threat Analysis Group (TAG) to ColdRiver/SeaBorgium, as confirmed by Microsoft. The threat actor leaked emails and documents from 2018 to 2022, which were allegedly stolen from email accounts belonging to high-level proponents of Brexit.

How to protect from this threat?

Typical operations from this threat actor hardly vary through time and are very focused on emails. Therefore, email filtering should be set, and email security solutions should be deployed.

Filtering solutions should also be enabled directly in the browser to avoid accessing a known phishing page.

Multi-factor authentication (MFA) should also be employed, if possible, not relying on telephony, as attackers might be able to bypass it. It should rather use more secure implementations such as FIDO tokens or authenticator applications.

Users should also carefully check emails they receive and check if they come from the usual email address of their contact. Should it come from a new one, they should reach the contact via another way, like a phone call, to check whether it really came from their contact.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday