Skip to content

Putting an end to SEABORGIUM Phishing Campaigns

Phishing Protection Archives - Page 2 of 6 - DuoCircle

The SEABORGIUM campaigns were observed, and the Microsoft Threat Intelligence Center (MSTIC) intervened to stop them. SEABORGIUM is an actor that Microsoft has been tracking since 2017. With goals and victimology that closely resemble Russian state interests, SEABORGIUM is a threat actor with Russian origins. Consistent phishing and credential theft tactics that result in intrusions and data theft are part of its campaigns. The SEABORGIUM breaches have also been connected to hack-and-leak activities, in which data that has been taken and leaked is used to influence public opinion in target countries. The information obtained during the SEABORGIUM intrusions is likely to support traditional espionage objectives and information operations rather than financial motivations, according to MSTIC’s assessment. However, we cannot completely rule out the possibility that supporting members of the group may have current or past affiliations with criminal or other nonstate ecosystems.

To share context and spread awareness about a significant danger to Microsoft customers, this blog offers insights into SEABORGIUM’s operations and technical approaches. MSTIC would like to thank the Proofpoint Threat Research Team and the Google Threat Analysis Group (TAG) for working together to identify and stop this actor. Because of Microsoft’s capacity to identify and follow SEABORGIUM’s misuse of its services, primarily OneDrive, MSTIC has had continuous access to information about the actor’s actions and has been able to alert any affected customers. Following these service abuse investigations, MSTIC collaborated with Microsoft’s abuse teams to disable the accounts used by the actor for monitoring, phishing, and email collecting. Additionally, Microsoft Defender SmartScreen has put in place detections for the phishing domains used by SEABORGIUM.

Who is SEABORGIUM?

SEABORGIUM is a very tenacious threat actor who repeatedly targets the same businesses over extended periods. Once effective, it gradually enters the social networks of the targeted companies using persistent phishing, rapport-building, and impersonation to further its incursion. For many years, SEABORGIUM has conducted effective operations to compromise targets such as businesses and individuals, rarely altering its methods or strategies. SEABORGIUM overlaps with the threat groups listed as Callisto Group (F-Secure), TA446 (Proofpoint), and COLDRIVER based on known indicators of compromise and actor methods (Google). However, MSTIC has not detected any technological infiltration links to support the association between Callisto and Gamaredon Group (tracked by Microsoft as ACTINIUM), as claimed by the Security Service of Ukraine (SSU).

Microsoft has detected SEABORGIUM efforts since the start of 2022 that target more than 30 organizations in addition to individual accounts of people of interest. SEABORGIUM mostly targets NATO members, especially the US and the UK, with sporadic attacks on other Baltic, Nordic, and Eastern European nations. In the months before Russia’s invasion, such targeting included the Ukrainian government sector and organizations playing supporting roles in the conflict there. Microsoft determines that, despite some targeting of these organizations, Ukraine is probably not the actor’s major focus; rather, it is most likely a reactive focus area and one of many other targets.

SEABORGIUM principally targets operations in the target countries at think tanks, universities, non-governmental and intergovernmental organizations (NGOs), and defense and intelligence consulting companies. 30% of Microsoft’s nation-state notifications relating to SEABORGIUM activities are sent to Microsoft customer email accounts, demonstrating SEABORGIUM’s keen interest in targeting specific people as well. SEABORGIUM has been shown to target former security agencies, Russian-policy experts, and Russian nationals living abroad. Customers of Microsoft services that have been targeted or compromised are directly informed by Microsoft, as is the case with any observed nation-state actor activity, and are given the information necessary to safeguard their accounts.

Observed actor activity of SEABORGIUM

Microsoft has been monitoring SEABORGIUM for a long time and has noticed a similar methodology, with only minor variations in their social engineering techniques and in how they deliver the initial infected URL to their targets. This section includes a thorough examination of SEABORBIUM’s operational strategies and various examples of their campaigns.

Impersonation and establishing contact

SEABORGIUM usually undertakes reconnaissance of target individuals before launching a campaign, with a focus on finding reliable contacts in the targets’ distant social network or sphere of influence. We believe that the threat actor leverages social networking platforms, personal directories, and general open-source information (OSINT) to support their reconnaissance efforts based on some of the impersonation and targeting that we have witnessed. In collaboration with LinkedIn, MSTIC has noticed that fake profiles purporting to be from SEABORGIUM are occasionally being used to spy on personnel from particular organizations of interest. LinkedIn canceled any accounts (including the one displayed below) that were found to be engaging in fraudulent or inauthentic activity following their policy.

A screenshot of a LinkedIn profile identified for fraudulent behavior. The fake profile uses the name Westley Dyck, who allegedly identifies as a research assistant.
Figure 1: Example profile used by SEABORGIUM to conduct industry-specific reconnaissance

Additionally, SEABORGIUM creates new email accounts at different consumer email providers with email addresses or aliases that are set up to resemble real aliases or names of impersonators. We have seen SEABORGIUM return to and reuse prior accounts that fit the industry of the ultimate target, even if the establishment of new consumer accounts is typical. In one instance, we noticed SEABORGIUM accessing an account it hadn’t used in a year, suggesting that accounts might be tracked and reused if they are important to targets’ verticals.

New accounts having been created, SEABORGIUM moves on to contact their target. For personal or consumer targeting, MSTIC has mostly seen the actor begin the exchange with a friendly email message, usually exchanging pleasantries before mentioning a fake attachment and bringing up a subject of the target’s choosing. This extra step probably aids the performer in developing rapport and averting suspicion, leading to more interaction. If the intended recipient responds, SEABORGIUM then sends a weaponized email.

A screenshot of an email exchange between the SEABORGIUM actors and their target. The initial email from the actors mentions a file attachment, but there is no file attached to the message. Subsequent replies involve the target asking for the file, and then actors sending back a weaponized email.
Figure 2: Example email showing the multi-email approach and rapport building frequently used by the actors.

MSTIC has also recorded some instances where the actor concentrates on phishing with a more organized approach. In these situations, the actor employs a persuasive social engineering strategy and usually turns to distributing malicious content directly.

A screenshot of a phishing email sent by SEABORGIUM to their target. The email impersonates the lead of an organization and informs the recipient of possible attackers against their organization. The email then tells the recipient to open an attached PDF file, disguised as analytical material for safety and informational awareness.
Figure 3: Example phishing email from 2022 where the actor impersonates the lead of an organization and emails select members of the organization with a cybersecurity-themed lure.

These instances serve to highlight the actors’ adaptability and capacity to modify their social engineering strategy to win the trust of their targets.

Delivery of malicious content

Microsoft has discovered many versions of how SEABORGIUM distributes a link that leads targets to their infrastructure for stealing credentials.

URL in the body of an email

In the simplest scenario, SEABORGIUM simply inserts a URL to the email body. Sometimes the actor hides their URL from the target and inline protection platforms by using URL shorteners and open redirection. The emails range from fake file-sharing emails that imitate some platforms to the fake personal contact with the hyperlinked text.

A screenshot of a fake OneDrive email notification sent by SEABORGIUM to their target. The email informs the recipient of a file shared with them, followed by a link. The link leads to a phishing URL controlled by SEABORGIUM actors.

PDF file attachment that contains a URL

In SEABORGIUM campaigns, MSTIC has noticed an upsurge in the use of attachments. These attachments usually imitate a file or document hosting service, such as OneDrive, and ask the user to click a button to open the attachment.

A screenshot of an email sent by SEABORGIUM which used the Ukraine conflict as a social engineering lure. The email contains a PDF file, which the email sender mentions as a new paper about Ukraine they’d like the recipient to check.
Figure 5: Campaign from 2022 using the war in Ukraine as a ruse. Example of SEABORGIUM directly attaching a PDF file to the email.
A screenshot of the content of the PDF file mentioned in figure 5. The PDF file displays a PDF file icon, a message saying that the file can’t be previewed, and a rectangular box with the text “open in OneDrive”. The box with the text contains a hyperlink to a URL controlled by SEABORGIUM.

OneDrive link to PDF file that contains a URL

Additionally, SEABORGIUM makes advantage of OneDrive to host PDF documents that link to the malicious URL. There are no security flaws or vulnerabilities on the OneDrive platform as a result of this activity. The actors add a OneDrive link in the email body that, when clicked, takes the user to a PDF file stored in a OneDrive account under SEABORGIUM’s control. As was the case in the previous illustration, the victim is shown what seems to be a failed preview notice, luring the target to click the link and be taken to the infrastructure for stealing credentials. To further conceal its operational architecture, SEABORGIUM occasionally uses open redirects within the PDF file. In the sample below, SEABORGIUM redirects users to a Google URL.

A screenshot of a PDF file hosted on a OneDrive account controlled by SEABORGIUM, like the one mentioned on figure 6. A box with the text “try again” is displayed, which is hyperlinked to a Google redirect link, further leading to a phishing page.

 

Credential theft of SEABORGIUM

Regardless of the distribution mechanism, the target is sent to a server controlled by an actor that is hosting a phishing framework, most usually EvilGinx, when they click the URL. Microsoft has occasionally seen the attacker try to use internet activity fingerprinting to avoid automated browsing and detonation. The framework requests the target for authentication after redirecting the target to the final page, simulating a legitimate provider’s sign-in page and capturing any credentials. The target is routed to a website or document to conclude the engagement after credentials have been obtained.

A screenshot of a phishing page used by SEABORGIUM. The phishing page impersonates a victim organization and asks the target to sign in with their account details.
Figure 8: Example cloned phishing portal used by SEABORGIUM to directly impersonate a victim organization.

 

Data exfiltration and impact

SEABORGIUM has been seen to sign in to victim email accounts using stolen credentials. The following behaviors are common, according to our confirmation of them based on our experience reacting to intrusions by this actor on behalf of our clients:

  • Exfiltration of intelligence data: From the inboxes of victims, SEABORGIUM has been seen stealing emails and attachments.
  • Setup of persistent data collection: In a few cases, SEABORGIUM has been seen setting up forwarding rules from victim inboxes to actor-controlled dead drop accounts, giving the actor long-term access to the data they have obtained. We’ve seen it happen more than once: the actors were able to obtain access to mailing-list information for private organizations, like those frequented by former intelligence officials, and kept a file of that material for later exfiltration and targeting.
  • Access to people of interest: In a lot of incidents, SEABORGIUM has been seen using its impersonation accounts to promote communication with particular individuals of interest. As a result, they have sometimes accidentally been included in conversations involving multiple people. The nature of the talks discovered by Microsoft throughout its investigations reveals the possible sharing of classified data that might be useful for intelligence purposes.

We determine that espionage is probably one of the actor’s main motivations based on the unique victimology, documents stolen, conversations encouraged, and continuous collecting witnessed.

Sporadic involvement with information operations

A SEABORGIUM information operation was assigned to them in May 2021 by MSTIC based on observations and technical similarities to other known phishing attacks. Documents that were purportedly taken from a UK political group and published on a public PDF file-sharing website were part of the operation. Later, the documents were spread on social media by well-known SEABORGIUM accounts, but MSTIC found little more interaction or amplification. Microsoft was unable to confirm the content’s validity.

Late in May 2022, Reuters and Google TAG revealed information regarding a data operation, specifically a breach and leak, that they said was the work of COLDRIVER/SEABORGIUM. Through technological evidence, Microsoft independently connected SEABORGIUM to the campaign and concurs with TAG’s assessment of the person in charge of the operation. To create the impression that the participants were plotting a coup, the actors in the above operation released emails and documents from 2018 to 2022 that were purportedly stolen from consumer Protonmail accounts belonging to high-level Brexit supporters. Social media and specific politically themed media outlets with a sizable audience helped to spread the story.

Although there have only been two instances of direct involvement, MSTIC cannot rule out the possibility that SEABORGIUM’s infiltration operations have produced information that has been used by other information sources. Microsoft advises users to exercise caution when sharing or amplifying direct narratives, as with any information operation, and to be wary of the possibility that malicious actors may have purposefully incorporated false or misleading information to support their narrative. To prevent amplification, Microsoft will not be publishing the exact domain or content.

Want to know more about Microsoft? Visit our course now.

Protect your organizations by putting an end into SEABORGIUM. Visit us here.


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com