State-linked hackers in Russia and Iran have been targeting politicians, journalists and others in the UK and elsewhere through a ‘sophisticated’ spear-phishing campaign.
The UK’s National Cyber Security Centre (NCSC) has identified two hacking groups – Russia-based Seaborgium and Iran-based TA453 – as the culprits and has issued an alert warning those in defense organizations, the media and government against clicking on malicious links.
“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems,” says NCSC director of operations Paul Chichester.
“We strongly encourage organizations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online.”
While the two groups have been active for some time, they are believed to have stepped up their operations significantly since Russia’s invasion of Ukraine, targeting individuals in the US and elsewhere, as well as in the UK.
And they go to some trouble to do this, with the NCSC describing the campaign as particularly elaborate and sophisticated.
The groups research their targets in detail, identifying their contacts and then faking social media or networking profiles to impersonate respected experts, creating fake conference or event invitations, and faking approaches from journalists.
“Both Seaborgium and TA453 use webmail addresses from different providers (including Outlook, Gmail and Yahoo) in their initial approach, impersonating known contacts of the target or eminent names in the target’s field of interest or sector,” says the NCSC.
“The actors have also created malicious domains resembling legitimate organisations to appear authentic.”
The NCSC says that, unusually, it’s victims’ personal email accounts that are targeted, rather than their official work accounts. This, it says, not only bypasses any security controls but also means that the victim is less likely to be on their guard.
After developing a relationship with their target, the groups share malicious links, often in the form of a Zoom meeting URL. In one example, TA453 set up a Zoom call with the target to share the malicious URL in the chat bar during the call.
The victim’s credentials are then seized and used to log in to targets’ email accounts, where the hackers can access and steal emails and attachments from the victim’s inbox. They have also set-up mail-forwarding, allowing them to view ongoing correspondence, and have also been able to access mailing-list data and victim’s contacts lists.
This information is then used for follow-on targeting and further phishing activity.
The Seaborgium group – also known as Cold River and Callisto – was last year found to be targeting three nuclear research laboratories in the US, and was also accused of hacking and leaking emails from former director of MI6 Richard Dearlove.
Meanwhile, TA453, also known as Charming Kitten, has been accused of targeting US politicians and national infrastructure organizations.
“We strongly encourage targeted organisations and individuals to stay vigilant and take steps to secure online accounts,” the NCSC warns, telling people to be on their guard, and to use strong passwords and two-factor authentication (2FA).
Both Iran and Russia have denied any connection to the hacking groups.