The U.K. National Cyber Security Centre (NCSC) has issued a warning of Russian and Iranian state-sponsored hackers increasingly targeting organizations and individuals.
More specifically, the country’s cybersecurity agency has identified a spike in spear-phishing attacks attributed to threat actors tracked as SEABORGIUM and TA453. The goal of the campaigns is to gather information from the victims.
“Although there is similarity in the TTPs (techniques, tactics, and procedures) and targeting profiles, these campaigns are separate, and the two groups are not collaborating,” the agency says.
SEABORGIUM, also known as ‘TA446,’ is a Russian state-sponsored threat group that targeted NATO countries last summer.
Although Microsoft disrupted the group’s operation in August by disabling the online accounts used for the operations, the action did not completely stop the attackers.
TA453, also known as APT42, is an Iranian threat group believed to be operating from within the Islamic Revolutionary Guard Corps (IRGC) – the main branch of the Iranian Armed Forces. The actor was previously seen impersonating journalists, targeting academics and policy experts in the Middle East.
NCSC’s advisory explains that the threat actors conduct reconnaissance using open-source resources, such as networking services (e.g. LinkedIn), to gather enough information about their targets and devise convincing social engineering scenarios.
Both threat groups create multiple fake accounts that impersonate experts or journalists and send emails to their targets via Outlook, Gmail, and Yahoo accounts.
To increase their chances of success, the adversaries also create malicious domains that mimic legitimate organizations that are usually in the target’s field of interest.
Once the threat actors have built a rapport with the victim, they share a malicious link that takes the target to a phishing site from where they steal email account credentials and access the target’s entire archive of recent communications.
In addition, the intruders set up mail-forwarding rules on the victim’s email account, so all future correspondence between the victim and their contacts is automatically shared with them.
This step removes the need to log into the victim account multiple times and risk alerts while getting all the messages the victim receives.
The NCSC recommends using strong (long) and unique passwords for every online service and turning on multi-factor authentication (MFA) protection where possible.
Additionally, the NCSC suggests that potential targets enable their email providers’ automated email scanning features and disable all mail-forwarding rules.
Finally, all messages sent from personal email addresses should be treated with suspicion, especially when the sender claims to represent a well-known and respected organization such as a research center or a media group.