The United Kingdom’s National Cyber Security Centre (NCSC) has issued a warning regarding sophisticated spear-phishing assaults allegedly conducted by state-sponsored actors from Russia and Iran. This warning highlights a targeted approach that focuses not on the general populace but on select sectors. The identified targets include academia, defense contractors, governmental bodies, non-governmental organizations, think tanks, politicians, journalists, and activists.
The NCSC has linked these malicious activities to two prominent groups: SEABORGIUM—also known as Callisto, COLDRIVER, and TA446—and APT42, which is identified by other designations such as ITG18, TA453, and Yellow Garuda. While both groups exhibit similar tactics, there is no indication of collaboration between them.
Spear-phishing campaigns of this nature typically begin with meticulously crafted messages aimed at building trust with specific individuals or organizations. The initial outreach phase aims to appear harmless, often extending for weeks, until it transitions to the exploitation phase. During this latter stage, the attackers deploy malicious links that can facilitate credential theft and subsequent data exfiltration.
To enhance their deceptive efforts, these threat actors have reportedly created counterfeit social media profiles designed to impersonate legitimate field experts and journalists. This tactic is intended to lure victims into clicking on malicious links. Once credentials are captured, the attackers gain access to the victims’ email accounts, allowing them to harvest sensitive information and even establish mail-forwarding rules to monitor ongoing communications.
SEABORGIUM has previously been linked to credential harvesting schemes that involved the creation of fraudulent login pages mimicking authentic defense contractors and nuclear research facilities. This history underscores their adeptness at employing social engineering techniques for exploitation.
Similarly, APT42 functions as part of Iran’s Islamic Revolutionary Guard Corps (IRGC) and has been known to engage potential victims by impersonating journalists and researchers. This group continuously adapts its tactics and tools to align with the evolving priorities of the IRGC, indicating a sophisticated approach to cyber espionage.
In December 2022, enterprise security firm Proofpoint noted APT42’s varied targeting strategies, which encompass a wide range of industries, from medical research to real estate. This deviation from typical phishing activities reflects a broadened scope of targeted outreach.
An interesting aspect of these campaigns is the utilization of personal email addresses for the phishing attempts. This strategy appears to be a deliberate effort to bypass security safeguards that organizations put in place on corporate networks, illustrating an enhanced level of premeditation.
Paul Chichester, the NCSC’s director of operations, emphasized the determined pursuit of these actors, which poses serious risks to organizations. The tactics potentially employed in these attacks align with several stages of the MITRE ATT&CK framework, including initial access through phishing, persistence via compromised accounts, and data exfiltration through stolen credentials.
As cyber threats continue to escalate, businesses must remain vigilant and proactive in adopting robust cybersecurity measures to mitigate the risks posed by such advanced persistent threats.
