At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    SEABORGIUM and TA453 continue their respective spear-phishing campaigns against targets of interest

    The Russia-based SEABORGIUM (Callisto Group/TA446/COLDRIVER/TAG-53) and Iran-based TA453 (APT42/Charming Kitten/Yellow Garuda/ITG18) actors continue to successfully use spear-phishing attacks against targeted organisations and individuals in the UK, and other areas of interest, for information gathering activity.

    Industry has previously published details of SEABORGIUM and TA453 activity. This advisory draws on that body of information.

    Throughout 2022, SEABORGIUM and TA453 targeted sectors included academia, defence, governmental organisations, NGOs, think-tanks, as well as politicians, journalists and activists.

    Although there is similarity in the TTPs and targeting profiles, these campaigns are separate and the two groups are not collaborating.

    This advisory aims to raise awareness of this activity for individuals and organisations in sectors known to be of interest to these actors. It helps identify the specifics of these actors’ spear-phishing techniques.

    The activity is typical of spear-phishing campaigns, where an actor targets a specific individual or group, using information known to be of interest to the targets to engage them. In a spear-phishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.

    Research and preparation

    Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, SEABORGIUM and TA453 identify hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts. [T1589; T1593]

    They have also created fake social media or networking profiles that impersonate respected experts [T1585.001], and used supposed conference or event invitations, as well as false approaches from journalists.

    Both SEABORGIUM and TA453 use webmail addresses from different providers (including Outlook, Gmail and Yahoo) in their initial approach [T1585.002], impersonating known contacts of the target or eminent names in the target’s field of interest or sector.

    The actors have also created malicious domains resembling legitimate organisations to appear authentic [T1583.001]. Microsoft Threat Intelligence Center (MSTIC) provide a list of observed Indicators of Compromise (IOCs) in their SEABORGIUM blog, although this should not be considered as exhaustive.

    Preference for personal email addresses

    SEABORGIUM and TA453 have predominantly sent spear-phishing emails to targets’ personal email addresses, although targets’ corporate or business email addresses have also been used. The actors may use personal emails to circumvent security controls in place on corporate networks.

    Building a rapport

    Having taken the time to research their targets’ interests and contacts to create a believable approach, SEABORGIUM and TA453 now start to build trust. They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport.

    Once trust is established, the attacker uses typical phishing tradecraft and shares a link [T1566.002], apparently to a document or website of interest. This leads the target to an actor-controlled server, prompting the target to enter account credentials.

    The malicious link may be a URL in an email message, or the actor may embed a link in a document [T1566.001] on OneDrive, GoogleDrive, or other file-sharing platforms.

    TA453 has even shared malicious links disguised as Zoom meeting URLs, and in one case, even set up a Zoom call with the target to share the malicious URL in the chat bar during the call.

    Industry partners have also reported the use of multi-persona impersonation (use of two or more actor-controlled personas on a spear-phishing thread) to add the appearance of legitimacy.

    Although spear-phishing is an established technique used by many actors, SEABORGIUM and TA453 continue to use it successfully and evolve the technique to maintain their success.

    Individuals and organisations from previously targeted sectors should be vigilant of the techniques above. In the UK, report activity consistent with that described above to the NCSC.

    Information on effective defence against spear-phishing is included in the ‘Mitigation’ section below.

    With thanks to the NCSC. The full story is here: https://www.ncsc.gov.uk/news/spear-phishing-campaigns-targets-of-interest

    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    Here’s how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry
    Go Phishing Now!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top