Microsoft announced it took action to stop phishing operations carried out by a “highly persistent threat actor” whose goals are closely related to Russian state interests. The corporation is keeping an eye on the espionage-focused activity cluster under the chemical element-themed alias SEABORGIUM, which it claims overlaps with a hacker collective known as Callisto, COLDRIVER, and TA446. “SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft,” stated Microsoft’s threat hunting teams in a joint announcement. Microsoft observed “only slight deviations in their social engineering approaches and in how they deliver the initial malicious URL to their targets.” The main targets include defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), higher education institutions, think tanks, and to a lesser extent, nations in the Baltics, the Nordics, and Eastern Europe. Additional targets of interest are former intelligence officers, Russian affairs experts, and Russian nationals living abroad.
Threat actors target businesses with tactics used over extended periods of time, allowing them to gain access to the victims’ social networks through phishing, impersonation, and rapport-building. The process starts with the reconnaissance of potential targets using fake personas made on social media sites like LinkedIn. Then contact is established with them through neutral email messages sent from a recently registered account. In the event that the target falls victim to the social engineering attack, the threat actor sends a weaponized message that contains a compromised PDF document or a link to an infected file stored on OneDrive. “SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL. The actors include a OneDrive link in the body of the email that when clicked directs the user to a PDF file hosted within a SEABORGIUM-controlled OneDrive account,” stated Microsoft. Additionally, it has been discovered that the adversary hides its operational infrastructure by using open redirects that appear safe to redirect visitors to the malicious server, which then requires visitors to input their credentials. The social engineering efforts conducted by SEABORGIUM can be extensive; Microsoft has identified multiple cases where a prolonged conversation enabled threat actors to gain access to multiple participants via an extended, trusted discussion.