Microsoft said it has hobbled the malware operations of the Russian-sponsored bad actor Seaborgium that the company’s security team has tracked since 2017.
The vendor said it had disabled various mechanisms used by the group, including email, social media and LinkedIn accounts deployed for surveillance and phishing activities. Since the beginning of this year, Seaborgium has targeted some 30 organizations, particularly NATO countries, including the U.S. and the U.K., with occasional targeting of other countries in the Baltics, the Nordics, and Eastern Europe.
Ukraine’s government has been a favored target of the group in the months leading up to the Russian invasion. Other organizations involved in supporting the Ukraine war effort have also been hit by Seaborgium’s malware campaigns. However, Microsoft believes that Ukraine is not a primary target for Seaborgium. Within the target countries, Seaborgium has attacked defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education.
Additional targets have included certain individuals, such as former intelligence officers, Russian citizens abroad and Russian affairs experts, according to Microsoft.
The cyber crime crew is known for its involvement in persistent phishing and credential theft campaigns leading to intrusions and data theft. The group has also been linked to political and social influence through “hack-and-leak” campaigns, in which stolen and leaked data is used to “shape narratives” in targeted countries, Microsoft said.
Microsoft explained that the crew has rarely changed methodologies or tactics and appears to concentrate on espionage rather than financial gain:
“While we cannot rule out that supporting elements of the group may have current or prior affiliations with criminal or other nonstate ecosystems, assesses that information collected during SEABORGIUM intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations."
According to Microsoft’s tracking, Seaborgium frequently targets the same organizations over long periods of time. Once successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building and phishing to deepen their intrusion. In one instance in May 2021, Seaborgium uploaded stolen documents from a political organization in the U.K. to a public PDF file-sharing site. The documents were later amplified on social media via known Seaborgium accounts.
What We Know About Seaborgium
Microsoft said it has observed the following activities attributed to Seaborgium:
- Exfiltrating emails and attachments from the inbox of victims.
- Setting up forwarding rules from victim inboxes to actor-controlled dead drop accounts where the actor has long-term access to collected data.
- Using their impersonation accounts to facilitate dialog with specific people of interest and, as a result, were included in conversations involving multiple parties in which potentially sensitive information of intelligence value might be shared.
Six Recommended Customer Actions
- Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
- Configure Office 365 to disable email auto-forwarding.
- Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
- Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
- Require multifactor authentication (MFA) for all users coming from all locations including perceived trusted environments, and all internet-facing infrastructure–even those coming from on-premises systems.
- Leverage more secure implementations such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
4 Recommendations for Microsoft Defender for Office 365
- Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants.
- Enable Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
- Configure Defender for Office 365 to recheck links on click. Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
- Use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns within your organization. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing their credentials.