The National Cyber Security Centre (NCSC) of the United Kingdom has issued a warning about spear-phishing attacks orchestrated by state-sponsored actors from Russia and Iran. The attacks are aimed at specific sectors, including academia, defense, government organizations, NGOs, and think tanks, as well as politicians, journalists, and activists, and are not directed toward the general public.
The NCSC attributes these intrusions to the SEABORGIUM group, also known as Callisto, COLD RIVER, and TA446, and APT42, also known as ITG18, TA453, and Yellow Garuda. Although the groups display similar tactics, there is no evidence of collaboration between them.
The spear-phishing campaign involves sending targeted messages, customizing them to the interests of the intended targets, after conducting extensive research into their social and professional networks. The initial contact is crafted to appear benign, aimed at gaining the trust of the victims, and can persist for weeks before transitioning to the exploitation phase. This phase consists of malicious links that can lead to the theft of credentials and further compromise, including data exfiltration.
To maintain the illusion, the attackers are known to create fake profiles on social media platforms, impersonating field experts and journalists, to deceive the targets into opening the links. The stolen credentials are then used to access email accounts and sensitive information, as well as to set up mail-forwarding rules for continuous monitoring of victim correspondence.
SEABORGIUM, a state-sponsored group from Russia, has a history of creating fake login pages resembling legitimate defense companies and nuclear research labs to carry out its credential harvesting attacks. APT42, operating as the espionage arm of Iran’s Islamic Revolutionary Guard Corps (IRGC), shares similarities with PHOSPHORUS and is part of a larger group known as Charming Kitten. This group is known to impersonate journalists, research institutes, and think tanks to engage with its targets, using an ever-evolving array of tools and tactics to match the changing priorities of the IRGC.
Proofpoint, an enterprise security firm, reported in December 2022 that APT42 deviates from typical phishing activity by using compromised accounts, malware, and confrontational lures to target a wide range of victims, including medical researchers, realtors, and travel agencies.
A significant characteristic of these campaigns is the use of personal email addresses of targets, potentially to bypass security controls in place on corporate networks. Paul Chichester, NCSC Director of Operations, stated that “these campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.”