State-sponsored cyber threats from Russia are becoming increasingly prevalent and sophisticated, with evolving tactics that challenge governments and organizations. In this text, we examine the latest tactics and their impact on the UK, US, and Europe. We also discuss the motives, potential consequences, and tips for mitigating these threats.
In recent years, state-sponsored cyber threats have become increasingly sophisticated and prevalent, and Russia is emerging as one of the leading actors in this field. Threat actors create fake personas through social media accounts, fake profiles, and academic papers to lure victims into replying to phishing emails.
They are constantly evolving their tactics, and governments and organizations are struggling to keep up. Hence, there are rising concerns regarding individual privacy, national security, and critical infrastructure.
In the past 12 months, we saw increasing cases of Russian state-sponsored cyber criminals targeting imminent personalities in the UK, the US, and Europe. Taking note, the National Cyber Security Centre (NCSC) recently issued an advisory warning about the rising cyberattacks associated with two cybercriminal gangs based in Iran and Russia. Let us start by discussing the latest attack by the group.
The Recent Attack Against MP Stewart McDonald at a Glance
In one of the recent attacks, a Russian hack group (Seaborgium) targeted the email account of a British Member of Parliament, Stewart McDonald. The group used a spear-phishing technique and sent a malicious email with a link to a fake website. The hackers designed the website to harvest login credentials.
Security experts believe that the attack was part of a more comprehensive campaign by state-sponsored Russian attackers and highlights the national security threat and the need for governments to implement robust cybersecurity measures.
After the attack, the UK government issued a warning to MPs and their staff to enhance their security protocols and remain vigilant to potential phishing attacks.
Seaborgium: The Russian Threat Actors Behind the Attacks
Cybersecurity firms link Seaborgium, also known as Calisto, to a malicious activity likened to playing the game of “whack-a-mole.” It is due to the rapidity with which the threat actor registers and changes personas and aliases to mimic consumer email addresses and infrastructure, irrespective of success.
Sherrod DeGrippo, an independent threat intelligence expert, said that the Russian and Iranian threat actors had evolved their social engineering tactics, which are now carefully constructed. They are creating more convincing complete personas, including social media accounts, websites, and portals.
The threat actors refine their tactics with each successful attack by generating more convincing fake profiles. They are even developing phony webpages, websites, informational pieces, and papers to pose as researchers or journalists, making the techniques used in the attacks more elaborate and sophisticated.
Seaborgium Targets: Why You Need to be on Guard
Academics are an attractive target for the hacking group, as they usually have multiple roles besides being university professors.
For example, academics might serve on the board of intellectuals, work at a law firm or hospital, and specialize in international law, atomic sciences, journalism, or activism. Thus, cybercriminals can compromise an academic in one area and gain access to sensitive information.
Furthermore, Journalists are also high-value targets as sensitive off-record material acquired from journalists is of significant value to Russian state-sponsored groups. Moreover, the intelligence they gain from journalists is timely, aiding the malicious purposes of these cybercriminal gangs.
Image sourced from slideteam.net
Seaborgium’s Latest Tactics: Everything You Need to Know
Although Seaborgium’s attack methods are not entirely unique, they have evolved and become increasingly sophisticated. Typically, their campaigns begin with benign emails, and only after confirming activity do they send phishing emails containing malicious links that aim to collect sensitive information.
In the past, Seaborgium has targeted the education sector, US federal civilian targets, and not-for-profit groups (NGOs) with geopolitical affiliations. The group’s attacks rely heavily on reconnaissance and impersonation for delivery.
The NCSC advisory points out that Seaborgium’s tactics are similar to TA453 but further explains that the two groups are not working together according to the NCSC’s industry reporting.
TA453, also known as APT42/ Yellow Garuda/ITG18/Charming Kitten, is an Iranian-based hacking group that uses techniques like impersonation and reconnaissance to collect sensitive information.
According to DeGrippo, also the former senior director of threat research and detection at Proofpoint, the tactics, techniques, and procedures employed by Seaborgium are particularly insidious. After logging in as a benign person and redirecting emails to their infrastructure, the malicious actors continue to operate the compromised email account and remain undetected.
Is Russia Behind the Seaborgium Cybercriminal Gang?
DeGrippo said that Seaborgium’s methods suggest that the state backs the threat actor. “The journalists have leaks, secrets, and sensitive information,” he said. The actor can also compromise the account and send emails posing as the victim. She added: “Because at that point, you start asking questions of sources of a particular interest to cyber espionage intelligence for Russian interests.”
Microsoft’s Threat Intelligence Center, or MSTIC, tracking the group since its inception, says that Seaborgium is a Russia-backed group with objectives that align closely with Russian state interests.
Another reason the Russian establishments seem to back the threat group is that it coordinates the selection of targets with the events of the Ukrainian war. For example, it started targeting the defense sector when the topic of military aid and weapons delivery to Ukraine appeared in the news or when nuclear energy-related targets were chosen during on-the-ground battles around power plants.
NCSC’s Recommendations: How to Stay Safe?
The NCSC advisory on Seaborgium suggests that the sophistication of the threat actor’s attacks has escalated and highlights the need for heightened awareness and protection measures for organizations, particularly those with high levels of email traffic.
Collaboration between different organizations in the security space is critical to producing an effective and holistic method of tracking and curtailing the activity of threat actors such as Seaborgium.
As part of a comprehensive cybersecurity strategy, it is recommended that email users are trained to identify malicious emails and that email security tools are utilized to block threats before they reach users’ inboxes. Implementing robust multi-factor authentication on all possible systems would also help mitigate the impact of eventually stolen credentials.
Final Words
The attack on the British MP is one of the many milestones of the threat actor. Last year, Seaborgium targeted scientists at three US nuclear research labs — Argonne, Brookhaven, and Lawrence. Thus, we saw how the evolving tactics of Russian state-sponsored threat actors present a significant challenge to the security of the UK, the US, and Europe.
These attacks highlight the need for continued vigilance and investment in cybersecurity measures by governments and organizations.
While mitigating these threats is an ongoing challenge, continued research and collaboration between governments and the private sector can help to improve the understanding of these tactics and enhance the ability to protect against them. By doing so, organizations can take a proactive approach to cybersecurity and safeguard against the growing threat posed by state-sponsored cyber actors.