Advisory SEABORGIUM and TA453 Threat Alert continue their respective TLP COLOUR spear-phishing campaigns against targets of interest Version 1 26 January 2023  Crown Copyright 2023 SEABORGIUM and TA453 continue their respective spear-phishing campaigns against targets of interest Activity against targeted organisations and individuals in the UK and other areas of interest Overview The Russia-based SEABORGIUM Callisto Group TA446 COLDRIVER TAG-53 and Iran-based TA453 APT42 Charming Kitten Yellow Garuda ITG18 actors continue to successfully use spear-phishing attacks against targeted organisations and individuals in the UK and other areas of interest for information gathering activity Industry has previously published details of SEABORGIUM and TA453 activity 1 This advisory draws on that body of information Throughout 2022 SEABORGIUM and TA453 targeted sectors included academia defence governmental organisations NGOs think-tanks as well as politicians journalists and activists Although there is similarity in the TTPs and targeting profiles these campaigns are separate and the two groups are not collaborating This advisory aims to raise awareness of this activity for individuals and organisations in sectors known to be of interest to these actors It helps identify the specifics of these actors’ spear-phishing techniques 1https www microsoft com security blog 2022 08 15 disrupting-seaborgiums-ongoing-phishing- operations https blog google threat-analysis-group continued-cyber-activity-in-eastern-europe-observed-by-tag https blog certfa com posts charming-kitten-can-we-wave-a-meeting https www proofpoint com uk blog threat-insight ta453-uses-multi-persona-impersonation-capitalizefomo https www proofpoint com us blog threat-insight ta453-refuses-be-bound-expectations Outline of the attacks The activity is typical of spear-phishing campaigns where an actor targets a specific individual or group using information known to be of interest to the targets to engage them In a spear-phishing campaign an actor perceives their target to have direct access to information of interest be an access vector to another target or both Research and preparation Using open-source resources to conduct reconnaissance including social media and professional networking platforms SEABORGIUM and TA453 identify hooks to engage their target They take the time to research their interests and identify their real-world social or professional contacts T1589 T1593 They have also created fake social media or networking profiles that impersonate respected experts T1585 001 and used supposed conference or event invitations as well as false approaches from journalists Both SEABORGIUM and TA453 use webmail addresses from different providers including Outlook Gmail and Yahoo in their initial approach T1585 002 impersonating known contacts of the target or eminent names in the target’s field of interest or sector The actors have also created malicious domains resembling legitimate organisations to appear authentic T1583 001 Microsoft Threat Intelligence Center MSTIC provide a list of observed Indicators of Compromise IOCs in their SEABORGIUM blog 2 although this should not be considered as exhaustive Preference for personal email addresses SEABORGIUM and TA453 have predominantly sent spear-phishing emails to targets’ personal email addresses although targets’ corporate or business email addresses have also been used The actors may use personal emails to circumvent security controls in place on corporate networks Building a rapport Having taken the time to research their targets’ interests and contacts to create a believable approach SEABORGIUM and TA453 now start to build trust They often begin by establishing benign contact on a topic they hope will engage their targets 2 https www microsoft com en-us security blog 2022 08 15 disrupting-seaborgiums-ongoingphishing-operations There is often some correspondence between attacker and target sometimes over an extended period as the attacker builds rapport Delivery of malicious link Once trust is established the attacker uses typical phishing tradecraft and shares a link T1566 002 apparently to a document or website of interest This leads the target to an actor-controlled server prompting the target to enter account credentials The malicious link may be a URL in an email message or the actor may embed a link in a document T1566 001 on OneDrive GoogleDrive or other file-sharing platforms 3 TA453 has even shared malicious links disguised as Zoom meeting URLs and in one case even set up a Zoom call with the target to share the malicious URL in the chat bar during the call 4 Industry partners have also reported the use of multi-persona impersonation 5 use of two or more actor-controlled personas on a spear-phishing thread to add the appearance of legitimacy Exploitation and further activity Whichever delivery method is used once the target clicks on the malicious URL they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service Any credentials entered at this point are now compromised 6 The SEABORGIUM and TA453 actors then use the stolen credentials to log in to targets’ email accounts T1078 from where they are known to access and steal emails and attachments from the victim’s inbox T1114 002 They have also set-up mail-forwarding rules giving them ongoing visibility of victim correspondence T1114 003 7 The actors have also used their access to a victim email account to access mailinglist data and victim’s contacts lists The actors then use this information for follow-on 3 https blog google threat-analysis-group continued-cyber-activity-in-eastern-europe-observed-bytag 4 https blog certfa com posts charming-kitten-can-we-wave-a-meeting 5 https www proofpoint com uk blog threat-insight ta453-uses-multi-persona-impersonationcapitalize-fomo 6 https www microsoft com en-us security blog 2022 08 15 disrupting-seaborgiums-ongoingphishing-operations 7 https www microsoft com security blog 2022 08 15 disrupting-seaborgiums-ongoing-phishingoperations targeting and have also used compromised email accounts for further phishing activity T1586 002 Conclusion Although spear-phishing is an established technique used by many actors SEABORGIUM and TA453 continue to use it successfully and evolve the technique to maintain their success Individuals and organisations from previously targeted sectors should be vigilant of the techniques above In the UK report activity consistent with that described above to the NCSC Information on effective defence against spear-phishing is included in the ‘Mitigation’ section below MITRE ATT CK This report has been compiled with respect to the MITRE ATT CK® framework a globally accessible knowledge base of adversary tactics and techniques based on real-world observations Tactic ID Technique Procedure Reconnaissance T1593 Search Open Websites Domains SEABORGIUM actors use open source research and social media to identify information about victims to be used in targeting Reconnaissance T1589 Gather Victim Identity Information Resource Development T1585 001 Establish Accounts Social Media Accounts Resource Development T1585 002 Establish Accounts Email Accounts Resource Development T1583 001 Acquire Infrastructure Domains Resource Development T1586 002 Compromise Accounts Email Accounts Initial Access T1078 Valid Accounts TA453 actors likely use professional networking sites and other open source resources to research their targets SEABORGIUM and TA453 actors use online data sets and open source resources to gather information about their targets SEABORGIUM actors have been observed to establish fraudulent profiles on professional networking sites to conduct reconnaissance TA453 actors have been observed to use fraudulent profiles on professional networking and other social media sites to approach their targets SEABORGIUM and TA453 actors register consumer email accounts matching the names of individuals they are impersonating to conduct spearphishing activity SEABORGIUM actors register domains used to host their phishing framework TA453 actors register domains to host fake login pages SEABORGIUM actors have been observed to use compromised victim email accounts to conduct spearphishing activity against contacts of the original victim SEABORGIUM and TA453 actors use compromised credentials Initial Access T1566 001 Phishing Spearphishing Attachment Initial Access T1566 002 Phishing Spearphishing Link Collection T1114 002 Email Collection Remote Email Collection Collection T1114 003 Email Collection Email Forwarding Rule captured from fake login pages to log in to valid victim user accounts SEABORGIUM actors use malicious links embedded in an email attachment to direct victims to their credential stealing sites SEABORGIUM actors send spearphishing emails with malicious links directly to credential stealing sites or to documents hosted on a file sharing site which direct victims to credential stealing sites TA453 actors send spearphishing emails with malicious links directly to credential stealing sites and to malware hosted on a file sharing site SEABORGIUM and TA453 actors interact directly with externally facing Exchange services Office 365 or Google Workspace to access email and steal information using compromised credentials or access tokens SEABORGIUM actors may abuse email-forwarding rules to monitor the activities of a victim steal information and maintain persistent access to victim's emails even after compromised credentials are reset Mitigation A number of mitigations will be useful in defending against the activity described in this advisory alert • Use strong passwords use a separate password for email accounts and avoid password re-use across multiple services See NCSC Guidance https www ncsc gov uk collection top-tips-for-staying-secure-online use-a-strong-andseparate-password-for-email • Use multi-factor authentication 2-factor authentication two-step authentication to reduce the impact of password compromises See NCSC Guidance https www ncsc gov uk guidance multi-factor-authentication-online-services and https www ncsc gov uk guidance setting-two-factor-authentication-2fa • Protect your devices and networks by keeping them up to date use the latest supported versions apply security updates promptly use anti-virus and scan regularly to guard against known malware threats See NCSC Guidance https www ncsc gov uk collection mobile-device-guidance antivirus-and-other-securitysoftware • Exercise vigilance Spear-phishing emails are tailored to avoid suspicion You may recognise the sender’s name but has the email come from an address that you recognise Would you expect contact from this person’s webmail address rather than their corporate email address Has the suspicious email come to your personal webmail address rather than your corporate one Can you verify that the email is legitimate via another means See guidance https www ncsc gov uk phishing CPNI’s ‘Think Before You Link’ app can help individuals identify malicious online profiles and reduce the risk of being targeted in the first instance For more information visit https thinkbeforeyoulink app • Enable your email providers’ automated email scanning features These are turned on by default for consumer mail providers See NCSC guidance https www ncsc gov uk blogpost telling-users-to-avoid-clicking-bad-links-still-isnt-working • Disable mail-forwarding Attackers have been observed to set up mail-forwarding rules to maintain visibility of target emails If you cannot disable mail-forwarding then monitor settings regularly to ensure that a forwarding rule has not been set up by an external malicious actor