WASHINGTON — Microsoft has taken action to disrupt hacking campaigns tied to a highly persistent Russian threat actor that has targeted defense and intelligence consulting firms, among other entities, primarily in NATO countries, the company said. society today.
The Microsoft Threat Intelligence Center (MSTIC) has been tracking the Russian state-sponsored group SEABORGIUM since 2017, whose campaigns involve phishing and credential theft campaigns. Its intrusions have also been linked to hacking and leaking campaigns, where stolen data is “used to shape narratives in targeted countries,” the company said in a notice.
The company said the information collected during SEABORGIUM intrusions likely supports traditional espionage goals and information operations as opposed to financial motivations.
“SEABORGIUM primarily targets NATO countries, particularly the US and UK, with occasional targeting of other Baltic countries, Nordic countries and Eastern Europe,” according to Microsoft. “This targeting included the government sector of Ukraine in the months leading up to the Russian invasion, and organizations involved in roles supporting the war in Ukraine.”
RELATED: Learning from Ukraine, DISA Expands Thunderdome to Include Classified SIPRNet
Microsoft said Ukraine is unlikely to be SEABORGIUM’s primary focus and more likely a “reactive focus area” for the group among other targets. He also targeted former intelligence officials, Russian affairs experts and Russian citizens abroad.
The company said SEABORGIUM uses fake personas online through LinkedIn accounts and email addresses to send phishing attachments to individuals and organizations. Microsoft has also confirmed that SEABORGIUM has been observed exfiltrating emails and attachments from inboxes, setting up rules for forwarding inboxes to actor-controlled deposit accounts where it had long-term access to collected data and to use impersonation accounts where sensitive information was shared between them and their targets.
Last year, MSTIC attributed an information operation to SEABORGIUM involving documents stolen from a political organization in the UK which were uploaded to a public PDF file sharing site which were then amplified on social media via SEABORGIUM accounts. Then, in May this year, Microsoft and Google TAG detected attacks by SEABORGIUM to steal documents from British political organizations and activists, according to the notice. The threat actors stole emails and documents from pro-Brexit activists, which were later leaked online, Reuters reported.
“In said operation, the actors leaked emails/documents from 2018 to 2022, allegedly stolen from consumer Protonmail accounts belonging to high profile Brexit supporters, to build a narrative that the participants were planning a coup. ‘State’, according to the notice. “The narrative was amplified using social media and specific politically themed media sources that gained some reach.”
Microsoft, in its advisory, shared a list of “indicators of compromise” believed to be associated with SEABORGIUM’s phishing campaigns.
“Although we observed only two instances of direct involvement, MSTIC is unable to rule out that SEABORGIUM’s intrusion operations provided data used by other news outlets,” according to the opinion. “As with any news operation, Microsoft urges caution in distributing or amplifying direct narratives, and urges readers to be critical that malicious actors may have intentionally inserted misinformation or disinformation. to help their story.”