Microsoft has shared a detailed report of the SEABORGIUM threat actor that has been impersonating social connections to target individuals to steal credentials and eavesdrop on all communications and attachments. This article looks into SEABORGIUM, its attack tactics, theft patterns, and how you can protect against the SEABORGIUM campaign.
Microsoft has taken swift actions against SEABORGIUM, a Russian threat actor involved in various phishing and credential theft campaigns since 2017. With intrusions, data thefts, hack-and-leak campaigns, espionage, and other malicious activities in Microsoft’s suite, particularly OneDrive, SEABORGIUM has been one of the top threat actors in the past few years.
Here is an outline of SEABORGIUM, its background, threat tactics, Indicators of Compromise for SEABORGIUM attacks, and actions you can take to keep yourself safe.
SEABORGIUM Explained: Who is the Threat Actor known as SEABORGIUM?
SEABORGIUM is a cybercriminal that frequently targets the same institutions over longer periods instead of moving across targets. SEABORGIUM slowly infiltrates organizational social networks via impersonation and phishing to pocket credentials and data.
1. Cybercriminal Group Ties: Based on MSTIC’s (Microsoft Threat Intelligence Center) findings, the compromise indicators point that SEABORGIUM is a part of the Callisto Group, tracked by the same name by F-Secure. Proofpoint and Google have followed the same cybercriminal group as TA446 and COLDRIVER, respectively.
2. Reach of Attacks: Microsoft’s security teams have recognized over 30 organizations targeted by SEABORGIUM campaigns. The threat actor has also been credited with 30% of Microsoft’s nation-state notifications being delivered to Microsoft consumer emails and causing all kinds of trouble.
3. Primary Targets: SEABORGIUM has primarily been targeting the Baltic, Nordic, and Eastern European countries. With the US and UK as their primary targets, SEABORGIUM also targeted Ukraine’s government sector prior to Russia’s invasion and organizations supporting Ukraine.
4. Affinity to Intelligence Operatives: The malicious actor largely concentrates on defense and intelligence organizations, IGOs (Intergovernmental Organizations), think tanks, NGOs (Non-Governmental Organizations), and educational institutes. SEABORGIUM has also targeted former Russian intelligence and its citizens abroad.
Let us see what SEABORGIUM does to organizations and individuals.
What Does SEABORGIUM Do?
SEABORGIUM is infamous for stealing user credentials and data and misusing the victim’s emails. SEABORGIUM is an expert in:
- Intelligence Data Exfiltration: The threat actor has been observed to get into email accounts and exfiltrate all communications and attachments.
- Persistent Data Collection: The threat actor sets forwarding rules from the victim’s email accounts, so all email conversations reach a SEABORGIUM-controlled dead drop account, giving the threat actor long-term access to the stolen data. SEABORGIUM also accesses sensitive mailing lists for former intelligence officers and targets those accounts for exfiltration.
- Targeting People of Interest: SEABORGIUM targets people of interest and employs impersonation tactics to initiate dialog with said people. Microsoft’s conversations during its investigations pointed to sensitive and intelligence data being shared during these events.
Microsoft has outlined that as per all its investigations and overserved behavior, SEABORGIUM targets its victims, steals documents, initiates dialogue with former intelligence, and collects all such data, assessing that SEABORGIUM is an espionage actor.
A Look into SEABORGIUM’s Operations and Tactics
The threat actor has employed various tactics over its long espionage and data theft campaign. These are:
- Impersonation for First Contact: SEABORGIUM initiates its attack by target reconnaissance to identify the target’s distant social network contacts. The threat actor then uses social media platforms and personal directories to impersonate the contacts and initiate first contact with the target. MSTIC’s partnership with popular social media, LinkedIn, revealed that it was being used for reconnaissance. LinkedIn terminated multiple accounts in this regard.
(Example of SEABORGIUM profile, Source: Microsoft)
- Weaponized Emails: SEABORGIUM also registers multiple email accounts with various vendors during its impersonation. A particular behavior that differentiates SEABORGIUM from the rest is that it also uses its previous accounts in the long term, sometimes using old email accounts after a year of inactivity. The threat actor contacts the target using benign email messages before referencing non-existent attachments. SEABORGIUM also converses using a topic of interest, allowing the cybercriminal to avoid suspicion. Then come the weaponized emails, including multi-email approaches, phishing emails, and social engineering emails with an authoritative approach, showcasing SEABORGIUM’s adaptability.
(SEABORGIUM follow-up email with a malicious link leading them to the threat actor controlled infrastructure, Source: Microsoft)
3. Malicious Content Delivery: SEABORGIUM’s weaponized emails include phishing URLs (Uniform Resource Locator) that are shortened and redirected several times to avoid detection. The threat actor also uses hyperlinked texts that lead to fake file-sharing platforms. In some cases, SEABORGIUM also used PDF file attachments. These PDF files imitate document hosting services, primarily Microsoft OneDrive. In other instances, SEABORGIUM also used OneDrive to host these PDF files. What is common is that both PDF files contain links to malicious URLs. The malicious delivery is accompanied by preview messages that supposedly “fail to load,” attracting more targets to click on these that directed them towards SEABORGIUM’s credential stealing pages.
4. Credential Theft: All the malicious URLs in SEABORGIUM’s weaponized emails redirect victims to a phishing framework controlled by the threat actor. Microsoft observed various events where SEABORGIUM evaded automated browsing and fingerprint browsing detonation. The EvilGinx phishing attack framework was most widely used during the SEABORGIUM campaign, redirecting the webpage several times before prompting targets for authentication. These pages mirrored authentic ones and turned the targets to another website or document to complete the interaction, leaving the mark oblivious that the threat actor stole their credentials.
SEABORGIUM has been following a malicious and highly sophisticated campaign which is why it is paramount that you know how to protect yourself.
How to Stay Safe Against SEABORGIUM Attacks?
You can easily detect SEABORGIUM using the Microsoft suite. Microsoft has incorporated all intelligence gathered into its products. Look out for:
Microsoft Defender for Office 365: With enhanced protections and coordinated defenses, Microsoft Defender will alert you about SEABORGIUM threat activity, showing alerts for:
- Malicious URLs
- Emails with malicious URLs and email messages removed after delivery
- Emails reported by other users as malware or phishing emails
Microsoft 365 Defender: Microsoft Defender for Office 365 has also updated its protection and will alert you regarding:
- Suspicious URLs clicked or opened
- Accessed links in ZAP-quarantined email
Apart from these tools, Microsoft has urged users to stay protected against SEABORGIUM and other malicious threats by:
- Blocking spoofed emails, spam, and emails with malware using email filtering in Office 365.
- Disabling email auto-forwarding in Office 365.
- Checking the list of IoCs (Indicators of Compromise) for SEABORGIUM and assessing potential intrusion.
- Review all remote access authentication activity and require MFA (Multi-Factor Authentication) for all users
- Use FIDO Tokens and Microsoft Authenticator with number matching.
- Use Microsoft Defender for Office 365 and enable ZAP (Zero-hour Auto Purge), configure link rechecks on clicks, and use the attack simulator for training against phishing and password attack campaigns.
Final Words
SEABORGIUM is just one of the cyber threats hiding behind the digital world’s walls. With such a sophisticated and adaptable attack pattern, SEABORGIUM’s campaign is undoubtedly a significant threat that Microsoft has encountered. The threat actor’s profile, attack patterns, and tactics should clearly show why cybersecurity is necessary and why individuals need to take protective measures when interacting online.