As part of the cybercrime gang's illegal surveillance and data theft operations, Microsoft claims to have banned accounts used by the Seaborgium troupe, which has ties to Russia, to spam and exploit login information.
In order to identify employees who work for the victims, the hackers exploited bogus LinkedIn profiles, email, OneDrive, and other Microsoft cloud services accounts.
Microsoft is keeping tabs on the cluster of espionage-related activities under the chemical element-themed moniker SEABORGIUM, which it claims is associated with a hacker organization also known as Callisto, COLDRIVER, and TA446.
Coldriver, alias Seaborgium, was accused of running a hack-and-leak campaign resulting in the publication of documents that were purportedly obtained from high-ranking Brexit supporters, including Richard Dearlove, a former British agent.
Targets &Tactics
Microsoft reported that it had seen "only very modest changes in their social engineering tactics and in how they deliver the initial malicious URL to their targets."
The main targets are think tanks, higher education institutions, non-governmental and intergovernmental organizations (IGOs), defense and intelligence consulting firms, and to a lesser extent, nations in the Baltics, Nordics, and Eastern Europe.
Former secret services, Russian affairs experts, and Russian nationals living abroad are further subjects of interest. It is estimated that more than 30 businesses and individual accounts were infected.
The process begins with the reconnaissance of potential targets using fictitious personas made on social media sites like LinkedIn, and then contact is established with them through neutral email messages sent from recently registered accounts that have been set up to match the names of the fictitious subjects.
If the target falls prey to the malicious code tactic, hackers launch the attack sequence by sending a weaponized message that contains a PDF document that has been compromised or a link to a file stored on OneDrive.
According to Microsoft, "SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL. Since the start of 2022, The actors have included a OneDrive link in the email body that, when clicked, takes the subscriber to a PDF file held within a SEABORGIUM-controlled OneDrive account."
Additionally, it has been discovered that the adversary conceals its operational network using open redirects which appear to be innocent to drive visitors to the malicious server, which then asks them to input their credentials in order to view the material.
The last stage of the attack involves leveraging the victim's email accounts with the stolen login information, exploiting the illegal logins to exfiltrate emails and attachments, setting up email forwarding rules to assure ongoing data gathering, and executing other key work.
Caution
According to Redmond, "SEABORGIUM has been spotted in a number of instances employing their impersonation accounts to encourage dialog with certain people of interest and, as a result, were involved in conversations, sometimes unintentionally, involving several users."
The enterprise security firm Proofpoint noted the group's propensity for reconnaissance and skilled impersonation for the delivery of malicious links. Proofpoint records the actor under the moniker TA446.
As per Microsoft, there are steps that may be taken to counter Seaborgium's strategies. This entails turning off email auto-forwarding and configuring Office 365 email settings to stop fake emails, spam, and emails containing viruses.
The security team also suggests utilizing more secure MFA techniques, such as FIDO tokens or authenticator tools with number matching, in place of telephony-based MFA and demanding multi-factor authentication (MFA) for all users from all locations, even those that are trusted.