The UK’s NCSC has published a notification warning regarding the increased aggression from Russia’s SEABORGIUM group and Iran’s TA453 against numerous individuals and organisations.
Based on reports, both groups have deployed a surge of spear-phishing attacks against different organisations globally, especially in Europe. The primary objective of spear-phishing operations is to collect information from its victims.
However, these groups are not collaborating and have different campaigns despite having overlaps and similarities with the techniques, tactics, and procedures (TTPs) employed in their attacks.
SEABORGIUM has deployed its campaigns against NATO-affiliated countries.
SEABORGIUM (aka TA446) is a Russian-backed threat group that targeted countries that are members of NATO last year. On the other hand, TA453 is an Iranian state-sponsored threat group that has been allegedly operating under the Islamic Revolutionary Guard Corps (IRGC).
IRGC is the main branch of the Iranian Armed Forces. The TA453 operators have recently impersonated journalists to target policy experts and academics in the Middle East.
According to the UK NCSC, both threat groups run scouring operations through open-source resources, such as networking services on well-known forums, to collect valuable information regarding their targets. This operation allows them to devise effective social engineering methods to deceive their targets.
Furthermore, these malicious groups create numerous fake accounts that spoof masquerades as experts and journalists to spread malware-laden emails to their targets. Researchers noted that the vector for these emails is popular messaging platforms such as Yahoo, Outlook, and Gmail.
The threat actors also develop malicious domains that impersonate legitimate organisations that are commonly in the target’s field of interest to increase the effectiveness of their attacks.
Once the threat actors establish a conversation with their targets, they could share compromised links that could redirect their victims to a phishing website. This instance is when the actors could harvest email account credentials and access the target’s archive of the latest communications.
Lastly, these threat groups set a mail-forwarding rule on a targeted email account to create a feature where the victim will automatically share their message in another conversation.
Researchers have already detected numerous campaigns from both groups since last year. Therefore, organisations should be wary of these attacks as they could grow more in the following months.