Microsoft Threat Intelligence Center (MSTIC) experts say they disrupted an operation by the Russian-speaking hack group SEABORGIUM targeting people and organizations in NATO countries.
The grouping, which Microsoft calls SEABORGIUM, has been known to researchers since at least 2017. Other companies track SEABORGIUM under the names COLDRIVER (Google), Callisto Group (F-Secure), and TA446 (Proofpoint). The group is believed to carry out cyber-espionage attacks against military personnel, government officials, think tanks and journalists in NATO countries, the Baltics, Scandinavia and Eastern Europe.
“In target countries, SEABORGIUM primarily focuses its operations on defense, intelligence and consulting companies, non-governmental and international organizations, think tanks and universities,” Microsoft analysts wrote. “SEABORGIUM has been seen attacking former intelligence officers, Russia experts and Russian citizens abroad.”
MSTIC analysts write that SEABORGIUM members create fake online identities through email, social media, and LinkedIn accounts. These fakes are then used against targeted individuals and organizations through social engineering.
On behalf of such fake personalities, attackers contact targets of interest to strike up a conversation and establish contact, and eventually send the victim a phishing attachment in one of the emails. Microsoft says the hackers distributed emails with PDF attachments, links to file sharing sites, or OneDrive accounts that also hosted PDF documents.
After opening such a file, the victim will see a message stating that the document cannot be viewed, as a special button must be pressed to try again.
Of course, clicking the button only takes the victim to a landing page running a phishing framework (like EvilGinx) to display a login form. Since EvilGinx acts as a proxy, hackers are able to intercept and Keep the credentials entered, as well as the cookies/authentication tokens generated after logging in to your account.
These stolen tokens then allow attackers to log into the compromised user account, even if the victim has two-factor authentication enabled.
According to Microsoft, once hackers gain access to the target account, they either steal emails and attachments or set up forwarding rules to receive all new emails that arrive in the victim’s hacked email. The researchers also observed how attackers used a hacked account to negotiate on behalf of the victim (in order to obtain confidential information).
MSTIC now says it has taken a number of steps to disrupt the SEABORGIUM malware campaign, including disabling accounts used by hackers for spying, phishing and email harvesting.
The company also shared indicators of compromise, including 69 domains that are associated with the group’s phishing campaigns and are used to steal credentials from Microsoft, ProtonMail, and Yandex accounts.