The UK National Cyber Security Center (NCSC) has warned organizations about continued spear-phishing attacks by Russian and Iranian actors.
In its recommendations, the government highlighted tactics and techniques used by the Russian-based threat actor SEABORGIUM and the Iran-based group TA453.
These attacks throughout 2022 have targeted specific political sectors and individuals, including academia, defense, government agencies, non-governmental organizations (NGOs), think tanks, politicians, journalists and activists.
NCSC has urged organizations and individuals in these areas to pay attention to the tactics used by two separate groups.
According to the advisory, the group will begin by gathering information about its targets through open source resources such as social media and professional networking platforms.
To appear legitimate, attackers create fake social media or network profiles impersonating respected experts and journalists and use conference and event invitations.
Both SEABORGIUM and TA453 use webmail addresses from well-known providers such as Outlook and Gmail to send the initial message. They also create malicious domains that resemble legitimate organizations to make them look real, the advisory said.
Phishing emails are primarily sent to the target’s personal email address, but corporate email addresses are also used. The attacker then tries to build trust with the victim. Establishing harmless contacts, often on topics known to involve the attacker.
Once trust is established, attackers share malicious links to targeted documents or websites. This directs the target to a server controlled by the actor and prompts them for their account credentials.
After the credentials are compromised, the attacker can use them to log into the target’s email account, from which they can access and steal sensitive emails and attachments.
The NCSC added that threat groups are using access to victims’ email accounts to access mailing list data and contact lists, enabling subsequent targeting and phishing campaigns.
NCSC Director of Operations Paul Chichester commented:
“These campaigns by threat actors based in Russia and Iran continue to relentlessly pursue targets to steal online credentials and compromise potentially sensitive systems.
“We strongly encourage organizations and individuals to remain vigilant against potential approaches and follow the advisory’s mitigation advice to protect themselves online.”
Mitigation strategies set by NCSC include using strong and distinct passwords for email accounts, enabling multi-factor authentication, and keeping devices and networks up to date.
Proofpoint researchers commented that the advisory was consistent with independent research, including that on TA453, suggesting that nation state-aligned threat actors craft highly targeted and sophisticated social engineering campaigns. Shown above is “some of the best”.
“In this case, I see TA453 attackers working with Iran enhancing their game using multi-persona impersonation to leverage social proof and force their targets to accept their shortcomings. Our researchers have seen that this requires using more resources per target, potentially burning more personas, and the coordinated approach between the different personalities that TA453 uses. It’s an interesting technique because it requires ,” said a Proofpoint spokesperson.
They added: For example, a professional contacted by a journalist should check the publication’s website to see if her email address is that of a legitimate reporter. ”
An investigation published by Secureworks on January 26, 2023 found that the Iranian threat group COBALT SABLING has resurfaced with a new persona, Abraham’s Ax. The group is associated with the threat actor Moses Staff, a self-proclaimed anti-Israeli and pro-Palestinian threat group whose primary aim is to harass and disrupt Israeli businesses.
Secureworks researchers believe the Abraham’s Ax persona is being used in concert to attack government ministries in Saudi Arabia.
