By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Notification
Latest News
OpenAI may use Associated Press archive for AI training
July 14, 2023
EU users can hold conversations with Google Bard from training set
July 14, 2023
Aptos, the new default font for Microsoft Office
July 14, 2023
BlackLotus UEFI bootkit sources published on GitHub
July 14, 2023
Hackers from the XDSpy cyber-espionage group attacked Russian organizations on behalf of the Ministry of Emergency Situations
July 14, 2023
Aa
  • News
  • Tutorials
  • Security InsiderComing Soon
  • Expert InsightComing Soon
Reading: Microsoft says it interfered with the operations of the Russian-speaking group SEABORGIUM
Share
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Aa
Search
  • News
  • Tutorials
  • Security InsiderComing Soon
  • Expert InsightComing Soon
Follow US
Security Parrot - Cyber Security News, Insights and Reviews > News > Microsoft says it interfered with the operations of the Russian-speaking group SEABORGIUM
News

Microsoft says it interfered with the operations of the Russian-speaking group SEABORGIUM

Last updated: 2022/08/18 at 2:58 PM
Security Parrot Editorial Team Published August 18, 2022
Share
SHARE

Microsoft Threat Intelligence Center (MSTIC) experts say they disrupted an operation by the Russian-speaking hack group SEABORGIUM targeting people and organizations in NATO countries.

The grouping, which Microsoft calls SEABORGIUM, has been known to researchers since at least 2017. Other companies track SEABORGIUM under the names COLDRIVER (Google), Callisto Group (F-Secure), and TA446 (Proofpoint). The group is believed to carry out cyber-espionage attacks against military personnel, government officials, think tanks and journalists in NATO countries, the Baltics, Scandinavia and Eastern Europe.

“In target countries, SEABORGIUM primarily focuses its operations on defense, intelligence and consulting companies, non-governmental and international organizations, think tanks and universities,” Microsoft analysts wrote. “SEABORGIUM has been seen attacking former intelligence officers, Russia experts and Russian citizens abroad.”

MSTIC analysts write that SEABORGIUM members create fake online identities through email, social media, and LinkedIn accounts. These fakes are then used against targeted individuals and organizations through social engineering.

On behalf of such fake personalities, attackers contact targets of interest to strike up a conversation and establish contact, and eventually send the victim a phishing attachment in one of the emails. Microsoft says the hackers distributed emails with PDF attachments, links to file sharing sites, or OneDrive accounts that also hosted PDF documents.

After opening such a file, the victim will see a message stating that the document cannot be viewed, as a special button must be pressed to try again.

Of course, clicking the button only takes the victim to a landing page running a phishing framework (like EvilGinx) to display a login form. Since EvilGinx acts as a proxy, hackers are able to intercept and Keep the credentials entered, as well as the cookies/authentication tokens generated after logging in to your account.

These stolen tokens then allow attackers to log into the compromised user account, even if the victim has two-factor authentication enabled.

According to Microsoft, once hackers gain access to the target account, they either steal emails and attachments or set up forwarding rules to receive all new emails that arrive in the victim’s hacked email. The researchers also observed how attackers used a hacked account to negotiate on behalf of the victim (in order to obtain confidential information).

MSTIC now says it has taken a number of steps to disrupt the SEABORGIUM malware campaign, including disabling accounts used by hackers for spying, phishing and email harvesting.

The company also shared indicators of compromise, including 69 domains that are associated with the group’s phishing campaigns and are used to steal credentials from Microsoft, ProtonMail, and Yandex accounts.

Weekly Updates For Our Loyal Readers!

Security Parrot Editorial Team August 18, 2022
Share this Article
Facebook Twitter Email Copy Link Print

Archives

  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • February 2023
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020

You Might Also Like

News

OpenAI may use Associated Press archive for AI training

July 14, 2023
News

EU users can hold conversations with Google Bard from training set

July 14, 2023
News

Aptos, the new default font for Microsoft Office

July 14, 2023
News

BlackLotus UEFI bootkit sources published on GitHub

July 14, 2023

© 2022 Parrot Media Network. All Rights Reserved.

  • Home
  • Parrot Media Group
  • Privacy Policy
  • Terms and Conditions
Join Us!

Subscribe to our newsletter and never miss our latest news, podcasts etc..

Zero spam, Unsubscribe at any time.

Removed from reading list

Undo
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?