Britain’s National Cyber Security Center (NCSC) on Thursday warned of spear-phishing attacks launched by Russian and Iranian state-backed attackers for intelligence gathering operations.
“The attacks do not target the general public, but rather specific sectors such as academia, defense, government agencies, NGOs, think tanks, politicians, journalists and activists,” the NCSC said.
Authorities attributed the intrusion to SEABORGIUM (aka Callisto, COLDRIVER, and TA446) and APT42 (aka ITG18, TA453, and Yellow Garuda). Aside from similarities in modus operandi, there is no evidence that the two groups are cooperating with each other.
This activity is typical of spear phishing campaigns, in which the attackers send tailored messages to their targets while also spending enough time researching their interests to identify their social and professional circles.
The initial contact is designed to appear harmless in an attempt to gain their trust and can last for weeks before proceeding to the exploit stage. It can lead to information theft and breaches such as data exfiltration.
To keep up the ruse, the hostile crew allegedly created fake profiles on social media platforms and impersonated field experts and journalists to trick victims into opening links.
The stolen credentials are used to log into the targeted email account and access sensitive information. Additionally, you can set up email forwarding rules for continuous visibility into victim communications.
The Russian government-backed group SEABORGIUM has a history of launching credential harvesting attacks by creating fake login pages that mimic legitimate defense companies and nuclear labs.
APT42, which operates as the espionage arm of Iran’s Islamic Revolutionary Guard Corps (IRGC), is said to be an overlap with PHOSPHORUS and is part of a larger group tracked as Charming Kitten.
Impersonating journalists, research institutes, and think tanks, threat actors like SEABORGIUM engage targets with an ever-changing arsenal of tools and tactics to meet the IRGC’s evolving priorities. is known.
Enterprise security firm Proofpoint said in December 2022 that the group would “use compromised accounts, malware, and confrontational lures to target people of diverse backgrounds, from medical researchers to realtors to travel agents.” “We are tracking a target that has,” calling it a “deviation from expectations.” phishing activity. “
Additionally, what is notable about these campaigns is the use of email addresses of targeted individuals as a means of circumventing the security controls put in place on corporate networks.
“These campaigns by threat actors based in Russia and Iran continue to relentlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems,” said NCSC Operations. Director Paul Chichester said.
