NCSC: Iranian and Russian Groups Targeting Government, Activists and Journalists With Spearphishing
The UK National Cyber Security Centre (NCSC) has warned organizations about ongoing spearphishing attacks by Russian and Iranian threat actors.
In the advisory, the government highlighted tactics and techniques being used by Russia-based threat actor SEABORGIUM and Iran-based group TA453.
These attacks, which took place throughout 2022, target specific sectors and individuals related to politics, including academia, defense, governmental organizations, non-governmental organizations (NGOs) and think-tanks, as well as politicians, journalists and activists.
The NCSC urged organizations and individuals in these fields to stay vigilant of the tactics used by the two separate groups.
The advisory stated that the groups begin by gathering intelligence about their targets via open-source resources such as social media and professional networking platforms.
To make them appear legitimate, the attackers create fake social media or networking profiles that impersonate respected experts and journalists, as well as use supposed conference or event invitations.
Both SEABORGIUM and TA453 use webmail addresses from well-known providers like Outlook and Gmail to send their initial message. They have also created malicious domains resembling legitimate organizations to appear authentic, said the advisory.
The phishing emails are primarily sent to targets’ personal email addresses, although corporate email addresses have also been used. The attackers then seek to establish a rapport with their victims, often by establishing benign contact on a topic they know will engage the target.
Once trust is established, the attacker shares a malicious link, purportedly to a document or website of interest. This leads the target to an actor-controlled server, prompting them to enter their account credentials.
After the credentials are compromised, the attackers use them to log in the targets’ email accounts, from where they can access and steal sensitive emails and attachments.
The NCSC added that the threat groups have also used their access to a victim’s email account to access mailing-list data and their contact list, allowing for follow-on targeting and phishing activity.
Paul Chichester, NCSC Director of Operations, commented: “The UK is committed to exposing malicious cyber activity alongside our industry partners and this advisory raises awareness of the persistent threat posed by spearphishing attacks.
“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.
“We strongly encourage organizations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online.”
Mitigation strategies set out by the NCSC include using strong and separate passwords for email accounts, turning on multi-factor authentication and keeping devices and networks up-to-date.
Commenting, Proofpoint researchers said the advisory corresponds with its own research, including that on TA453, which shows that state-aligned threat actors are “some of the best” at crafting highly targeted and sophisticated social engineering campaigns.
“In this case, our researchers have seen the Iran-aligned TA453 actor step up its game by using multi-persona impersonation – capitalizing on social proof to get their target to buy into their cons. This is an intriguing technique because it requires more resources to be used per target – potentially burning more personas – and a coordinated approach among the various personalities in use by TA453,” said a Proofpoint spokesperson.
They added: “Researchers involved in international security, particularly those specializing in Middle Eastern studies or nuclear security, should maintain a heightened sense of awareness when receiving unsolicited emails. For example, experts that are approached by journalists should check the publication’s website to see if the email address belongs to a legitimate reporter.”
Research published by Secureworks on January 26, 2023, found that Iranian threat group COBALT SAPLING has re-emerged with a new persona, Abraham’s Ax. This group is linked to the threat actor Moses Staff, which styles itself as an anti-Israeli and pro-Palestinian threat group with the primary aim of harassing and disrupting Israeli companies.
Secureworks’ researchers believe that the Abraham’s Ax persona is being used in tandem to attack government ministries in Saudi Arabia.