Microsoft claims to have disrupted a prolific Russian state-backed threat group known for conducting long-running cyber-espionage campaigns against mainly NATO countries.
In an update on August 15, the tech giant said it had disabled accounts used by the “Seaborgium” group for reconnaissance, phishing, and email collection, and updated detections against its phishing domains in Microsoft Defender SmartScreen.
Also known by threat researchers as Callisto Group, ColdRiver, TA446 and other monikers, Seaborgium is a “highly persistent threat actor” that focuses most of its time on the US and UK, and occasionally the countries of the Baltics, Nordics and Eastern Europe.
“Once successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion,” said Microsoft.
“Seaborgium has successfully compromised organizations and people of interest in consistent campaigns for several years, rarely changing methodologies or tactics.”
Since the start of the year, it has targeted over 30 organizations: mainly defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education.
The group also targets individuals such as former intelligence officials and Russian citizens living abroad, Microsoft said.
After conducting reconnaissance on its targets, the group might try to establish rapport by contacting them on social media. Soon after, it will send a phishing email purporting to contain content of interest to the recipient.
Malicious URLs may be located in the body of the email, a clickable button designed to open an attachment, or a OneDrive link which takes the user to a PDF file containing a URL.
The end goal is credential theft and then data exfiltration.
“Regardless of the method of delivery, when the target clicks the URL, the target is directed to an actor-controlled server hosting a phishing framework, most often EvilGinx. On occasion, Microsoft has observed attempts by the actor to evade automated browsing and detonation by fingerprinting browsing behavior,” Microsoft explained.
“Once the target is redirected to the final page, the framework prompts the target for authentication, mirroring the sign-in page for a legitimate provider and intercepting any credentials. After credentials are captured, the target is redirected to a website or document to complete the interaction.”
Once Seaborgium has access to the victim’s email account, it will look to exfiltrate intelligence data and, on occasion, approach other people of interest via these compromised accounts in order to access sensitive info.
Sometimes, it will even set up forwarding rules from victim inboxes to enable persistent data collection, Microsoft said.