The UK’s National Cyber Security Center (NCSC) has issued a warning against Russian and Iranian hackers who are increasingly targeting organizations and individuals.
Specifically, the country’s cybersecurity agency has identified a spike in spear-phishing attacks attributed to tracked threat actors like SEABORGIUM and TA453. The aim of the campaigns is to gather information from the victims.
“While there are similarities in TTPs (techniques, tactics, and procedures) and targeting profiles, these campaigns are distinct and the two groups do not collaborate,” the agency said.
SEABORGIUM, also known as “TA446,” is a Russian state-sponsored threat group that targeted NATO countries last summer.
Even though Microsoft disturbed the group’s operation in August by disabling online accounts used for operations, the action did not completely stop the attackers.
TA453, also known as APT42, is an Iranian threat group believed to operate within the Islamic Revolutionary Guard Corps (IRGC) – the main branch of Iran’s armed forces. The actor has already been seen impersonate journaliststargeting academics and policy experts in the Middle East.
Spear phishing attacks
The opinion of the NCSC explains that threat actors conduct reconnaissance using open source resources, such as networking services (e.g. LinkedIn), to gather enough information about their targets and craft compelling social engineering scenarios.
Both groups of threats create multiple fake accounts who pose as experts or journalists and send emails to their targets through Outlook, Gmail and Yahoo accounts.
To increase their chances of success, adversaries also create malicious domains that mimic legitimate organizations that are typically located in the target’s domain of interest.
Once the threat actors establish a rapport with the victim, they share a malicious link that directs the target to a phishing site from where they steal the email account credentials and gain access to the entire an archive of the target’s recent communications.
Furthermore, the intruders set up mail forwarding rules on the victim’s email account so that any future correspondence between the victim and their contacts is automatically shared with them.
This step removes the need to log into the victim’s account multiple times and risk alerts while receiving all the messages the victim receives.
NCSC recommends using strong (long) and unique passwords for each online service and enabling multi-factor authentication (MFA) protection whenever possible.
Additionally, the NCSC suggests that potential targets enable their email providers’ automated email scanning features and disable all mail forwarding rules.
Finally, all messages sent from personal email addresses should be treated with suspicion, especially when the sender claims to represent a known and respected organization, such as a research center or media group.