{"id":119759,"date":"2022-08-15T09:00:00","date_gmt":"2022-08-15T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=119759"},"modified":"2023-10-12T08:11:51","modified_gmt":"2023-10-12T15:11:51","slug":"disrupting-seaborgiums-ongoing-phishing-operations","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/08\/15\/disrupting-seaborgiums-ongoing-phishing-operations\/","title":{"rendered":"Disrupting SEABORGIUM\u2019s ongoing phishing operations"},"content":{"rendered":"\n
\n

April 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. SEABORGIUM <\/strong>is now tracked as Star Blizzard <\/strong>and ACTINIUM<\/strong> is now tracked as Aqua Blizzard<\/strong>.<\/p>\n\n\n\n

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.<\/p>\n<\/blockquote>\n\n\n\n

The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries. While we cannot rule out that supporting elements of the group may have current or prior affiliations with criminal or other nonstate ecosystems, MSTIC assesses that information collected during SEABORGIUM intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations.<\/p>\n\n\n\n

This blog provides insights into SEABORGIUM\u2019s activities and technical methods, with the goal of sharing context and raising awareness about a significant threat to Microsoft customers. MSTIC would like to acknowledge the Google Threat Analysis Group (TAG) and the Proofpoint Threat Research Team for their collaboration on tracking and disrupting this actor. Microsoft\u2019s ability to detect and track SEABORGIUM\u2019s abuse of Microsoft services, particularly OneDrive, has provided MSTIC sustained visibility into the actor\u2019s activities and enabled us to notify impacted customers. As an outcome of these service abuse investigations, MSTIC partnered with abuse teams in Microsoft to disable accounts used by the actor for reconnaissance, phishing, and email collection. Microsoft Defender SmartScreen has also implemented detections against the phishing domains represented in SEABORGIUM\u2019s activities.<\/p>\n\n\n\n

Who is SEABORGIUM?<\/h2>\n\n\n\n

SEABORGIUM is a highly persistent threat actor, frequently targeting the same organizations over long periods of time. Once successful, it slowly infiltrates targeted organizations\u2019 social networks through constant impersonation, rapport building, and phishing to deepen their intrusion. SEABORGIUM has successfully compromised organizations and people of interest in consistent campaigns for several years, rarely changing methodologies or tactics. Based on known indicators of compromise and actor tactics, SEABORGIUM overlaps with the threat groups tracked as Callisto Group (F-Secure), TA446 (Proofpoint) and COLDRIVER (Google). Security Service of Ukraine (SSU)<\/a> has associated Callisto with Gamaredon Group (tracked by Microsoft as ACTINIUM); however, MSTIC has not observed technical intrusion links to support the association. <\/p>\n\n\n\n

Since the beginning of 2022, Microsoft has observed SEABORGIUM campaigns targeting over 30 organizations, in addition to personal accounts of people of interest. SEABORGIUM primarily targets NATO countries, particularly the US and the UK, with occasional targeting of other countries in the Baltics, the Nordics, and Eastern Europe. Such targeting has included the government sector of Ukraine in the months leading up to the invasion by Russia, and organizations involved in supporting roles for the war in Ukraine. Despite some targeting of these organizations, Microsoft assesses that Ukraine is likely not a primary focus for this actor; however, it is most likely a reactive focus area for the actor and one of many diverse targets.<\/p>\n\n\n\n

Within the target countries, SEABORGIUM primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. SEABORGIUM has a high interest in targeting individuals as well, with 30% of Microsoft\u2019s nation-state notifications related to SEABORGIUM activity being delivered to Microsoft consumer email accounts. SEABORGIUM has been observed targeting former intelligence officials, experts in Russian affairs, and Russian citizens abroad. As with any observed nation-state actor activity, Microsoft directly notifies customers of Microsoft services that have been targeted or compromised, providing them with the information they need to secure their accounts.<\/p>\n\n\n\n

Observed actor activity<\/h2>\n\n\n\n

Over many years of tracking, Microsoft has observed a consistent methodology from SEABORGIUM with only slight deviations in their social engineering approaches and in how they deliver the initial malicious URL to their targets. In this section, we provide detailed analysis of SEABORBIUM\u2019s operational tactics as well as several examples of their campaigns.<\/p>\n\n\n\n

Impersonation and establishing contact<\/h3>\n\n\n\n

Before starting a campaign, SEABORGIUM often conducts reconnaissance of target individuals, with a focus on identifying legitimate contacts in the targets\u2019 distant social network or sphere of influence. Based on some of the impersonation and targeting observed, we suspect that the threat actor uses social media platforms, personal directories, and general open-source intelligence (OSINT) to supplement their reconnaissance efforts. MSTIC, in partnership with LinkedIn, has observed fraudulent profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest. In accordance with their policies, LinkedIn terminated any account (including the one shown below) identified as conducting inauthentic or fraudulent behavior.<\/p>\n\n\n\n

\"A
Figure 1: Example profile used by SEABORGIUM to conduct industry-specific reconnaissance<\/figcaption><\/figure>\n\n\n\n

SEABORGIUM also registers new email accounts at various consumer email providers, with the email address or alias configured to match legitimate aliases or names of impersonated individuals. While the creation of new consumer accounts is common, we have also observed SEABORGIUM returning to and reusing historical accounts that match the industry of the ultimate target. In one case, we observed SEABORGIUM returning to an account it had not used in a year, indicating potential tracking and reusing of accounts if relevant to targets\u2019 verticals.<\/p>\n\n\n\n

After registering new accounts, SEABORGIUM proceeds to establish contact with their target. In cases of personal or consumer targeting, MSTIC has mostly observed the actor starting the conversation with a benign email message, typically exchanging pleasantries before referencing a non-existent attachment while highlighting a topic of interest to the target. It\u2019s likely that this additional step helps the actor establish rapport and avoid suspicion, resulting in further interaction. If the target replies, SEABORGIUM proceeds to send a weaponized email.<\/p>\n\n\n\n

\"A
Figure 2: Example email showing the multi-email approach and rapport building frequently used by the actors.<\/figcaption><\/figure>\n\n\n\n

MSTIC has also documented several cases where the actor focuses on a more organizational approach to phishing. In these cases, the actor uses an authoritative approach in their social engineering and typically goes to directly sending malicious content.<\/p>\n\n\n\n

\"A
Figure 3: Example phishing email from 2022 where the actor impersonates the lead of an organization and emails select members of the organization with a cybersecurity themed lure.<\/figcaption><\/figure>\n\n\n\n

These examples serve to demonstrate the actors\u2019 capability to be dynamic and to adapt their social engineering approach to gain the trust of their victims.<\/p>\n\n\n\n

Delivery of malicious content<\/h3>\n\n\n\n

Microsoft has identified several variations in the way that SEABORGIUM delivers a link that directs targets to their credential stealing infrastructure. <\/p>\n\n\n\n

URL in body of email<\/strong><\/p>\n\n\n\n

In the simplest case, SEABORGIUM directly adds a URL to the body of their phishing email. Occasionally, the actor leverages URL shorteners and open redirects to obfuscate their URL from the target and inline protection platforms. The email varies between fake personal correspondence with a hyperlinked text and fake file sharing emails that imitate a range of platforms.<\/p>\n\n\n\n

\"A
Figure 4: Example follow-up email impersonating a OneDrive share. The link embedded takes the user to actor-controlled infrastructure.<\/figcaption><\/figure>\n\n\n\n

PDF file attachment that contains a URL<\/strong><\/p>\n\n\n\n

MSTIC has observed an increase in the use of attachments in SEABORGIUM campaigns. These attachments typically imitate a file or document hosting service, including OneDrive, and request the user to open the document by clicking a button.<\/p>\n\n\n\n

\"A
Figure 5: Campaign from 2022 using the war in Ukraine as a ruse. Example of SEABORGIUM directly attaching a PDF file to the email.<\/figcaption><\/figure>\n\n\n\n
\"A
Figure 6: Example PDF file used in campaigns. The PDF files appear to be a failed preview, redirecting the users to click a link which takes the user to actor-controlled infrastructure.<\/figcaption><\/figure>\n\n\n\n

OneDrive link to PDF file that contains a URL<\/strong><\/p>\n\n\n\n

SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL. This activity does not represent any security issues or vulnerabilities on the OneDrive platform. The actors include a OneDrive link in the body of the email that when clicked directs the user to a PDF file hosted within a SEABORGIUM-controlled OneDrive account. As seen in the previous example, the victim is presented with what appears to be a failed preview message, enticing the target to click the link to be directed to the credential-stealing infrastructure. Occasionally, SEABORGIUM makes use of open redirects within the PDF file to further disguise their operational infrastructure. In the example below, SEABORGIUM uses a Google URL for redirection.<\/p>\n\n\n\n

\"A
Figure 7: Example document hosted on OneDrive that uses a Google redirect link to send users to actor-controlled infrastructure.<\/figcaption><\/figure>\n\n\n\n

Credential theft<\/h3>\n\n\n\n

Regardless of the method of delivery, when the target clicks the URL, the target is directed to an actor-controlled server hosting a phishing framework, most often EvilGinx. On occasion, Microsoft has observed attempts by the actor to evade automated browsing and detonation by fingerprinting browsing behavior. Once the target is redirected to the final page, the framework prompts the target for authentication, mirroring the sign-in page for a legitimate provider and intercepting any credentials. After credentials are captured, the target is redirected to a website or document to complete the interaction.  <\/p>\n\n\n\n

\"A
Figure 8: Example cloned phishing portal used by SEABORGIUM to directly impersonate a victim organization.<\/figcaption><\/figure>\n\n\n\n

Data exfiltration and impact<\/h3>\n\n\n\n

SEABORGIUM has been observed to use stolen credentials and directly sign in to victim email accounts. Based on our experience responding to intrusions from this actor on behalf of our customers, we have confirmed that the following activities are common:<\/p>\n\n\n\n