The UK’s National Cyber Security Centre (NCSC) has warned of two similar spear-phishing campaigns, one originating from Russia, the other from Iran.
The NCSC has attributed the campaigns to a Russia-based group called SEABORGIUM and the Iran-based TA453 group, also known as APT42. The threat groups target individuals working in academia, defence, government, non-government organisations, and think-tanks. Politicians, journalists and activists are also a target in an attempt to gather sensitive information.
“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems,” warned NCSC director of operations Paul Chichester.
The groups typically groom targets with emails or on platforms like LinkedIn, where the attackers create personalities with plausible back stories. Once trust is established, the victim is often lured into clicking on malicious links. In the past, those links have included false invitations to conferences, or URLs to all the fun and glamour of a Zoom meeting.
The target could then be led to a server controlled by the threat group that prompts the input of credentials. SEABORIUM in particular has been known to set up email forwarding to monitor future activity of the victim, even after they have reset their credentials.
The NCSC hence recommends disabling mail-forwarding as one spear-phishing mitigation tactic. The usual mitigation tactics are also recommended: strong passwords used only for email accounts, MFA, enabling built-in email scanning features, and ongoing vigilance.
Google cybersecurity subsidiary Mandiant and email security vendor Proofpoint have both linked TA453 to the Islamic Revolutionary Guard Corps.
Microsoft has characterized SEABORGIUM as having goals that align with Russian state interests. ®