Hacker in a hoodie ASCII art. (Getty)
WASHINGTON — Microsoft has taken actions to disrupt hacking campaigns linked to a highly persistent Russian threat actor that has targeted defense and intelligence consulting companies, among other entities, primarily in NATO countries, the company announced today.
The Microsoft Threat Intelligence Center (MSTIC) has been tracking the Russian state-sponsored group SEABORGIUM since 2017, whose campaigns involve phishing and credential theft campaigns. Its intrusions have also been linked to hack-and-leak campaigns, where stolen data is “used to shape narratives in targeted countries,” the company said in an advisory.
The company said information collected during SEABORGIUM intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations.
“SEABORGIUM primarily targets NATO countries, particularly the US and the UK, with occasional targeting of other countries in the Baltics, the Nordics, and Eastern Europe,” according to Microsoft. “Such targeting has included the government sector of Ukraine in the months leading up to the invasion by Russia, and organizations involved in supporting roles for the war in Ukraine.”
RELATED: Learning From Ukraine, DISA Extends Thunderdome To Include Classified SIPRNet
Microsoft assessed that Ukraine is likely not the primary focus of SEABORGIUM and is more likely a “reactive focus area” for the group among other targets. It has also targeted former intelligence officials, experts in Russian affairs and Russian citizens abroad.
The company said SEABORGIUM uses fake online personas through LinkedIn accounts and email addresses to send phishing attachments to individuals and organizations. Microsoft also confirmed SEABORGIUM has been observed exfiltrating emails and attachments from inboxes, setting up forwarding rules from inboxes to actor-controlled dead drop accounts where it has long-term access to collected data and using impersonation accounts where sensitive information was shared between them and their targets.
Last year, MSTIC attributed an information operation to SEABORGIUM that involved stolen documents from a political organization in the UK that were uploaded to a public PDF file-sharing site that were then amplified on social media via SEABORGIUM accounts. Then, in May this year, Microsoft and Google TAG detected attacks by SEABORGIUM to steal documents from UK political organizations and activists, according to the advisory. The threat actors stole emails and documents from pro-Brexit activists, which were then leaked online, Reuters reported.
“In the said operation, the actors leaked emails/documents from 2018 to 2022, allegedly stolen from consumer Protonmail accounts belonging to high-level proponents of Brexit, to build a narrative that the participants were planning a coup,” according to the advisory. “The narrative was amplified using social media and through specific politically themed media sources that garnered quite a bit of reach.”
Microsoft in its advisory shared a list of “indicators of compromise” believed to be associated with SEABORGIUM’s phishing campaigns.
“While we have only observed two cases of direct involvement, MSTIC is not able to rule out that SEABORGIUM’s intrusion operations have yielded data used through other information outlets,” according to the advisory. “As with any information operation, Microsoft urges caution in distributing or amplifying direct narratives, and urges readers to be critical that the malicious actors could have intentionally inserted misinformation or disinformation to assist their narrative.”
