Microsoft Disrupts Major Russian Phishing Group
Microsoft this week announced it had taken actions to cripple the Russia-based SEABORGIUM cybercriminal group.
In a security blog posted on Monday, Microsoft said it has disabled email, social media and LinkedIn accounts used by the group for surveillance and phishing activities. The group is believed to be Russian state-sponsored based on its choices of targets, which have included former intelligence officers, Russian citizens abroad and Russian affairs experts, according to Microsoft.
"SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests," wrote Microsoft. "Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft."
Microsoft said it had been monitoring the group's activities as far back as 2017 and confirmed that the group's major motivation was espionage -- not financial gain. Security experts at the company had observed the group targeting 30 high-profile organizations just in 2022.
In a breakdown of how the group typically operated, Microsoft said it observed a structured pattern and approach with very little deviation between phishing attempts. A targeted victim is surveilled using fake social media accounts, typically in LinkedIn, to gain insight into individual and connected organization.
SEABORGIUM would then set up fake email accounts with impersonated aliases and names of known associates of the target. Further, in some cases, Microsoft saw the group recreating inactive or deleted email or social media accounts of known aliases.
The group then would reach out to the target. For individuals, security experts saw SEABORGIUM go for a more personal approach by reaching out with pleasantries before sending a malicious link. For organizational targets, SEABORGIUM would use an "authoritative approach" to send the malicious link in the first contact.
Microsoft has seen the malicious link embedded in the body of an email, embedded in an attached PDF or attached to a PDF in a OneDrive link.
"Regardless of the method of delivery, when the target clicks the URL, the target is directed to an actor-controlled server hosting a phishing framework, most often EvilGinx," wrote Microsoft. "On occasion, Microsoft has observed attempts by the actor to evade automated browsing and detonation by fingerprinting browsing behavior."
If the target follows the link, it redirects to the phishing framework, which mimics a legitimate provider and asks the victim for authentication credentials, which are then stolen by the group. With the stolen credentials, Microsoft has observed the group mostly engaging in email theft to gain confidential and private data from its targets.
In further actions to circumnavigate the group, Microsoft also shared data from 69 domains used by the group with other providers, including ProtonMail and Yandex. Microsoft also recommends that users can avoid similar attacks through Microsoft's baked-in security features. Some of these include:
- Disabling email auto-forwarding in Office 365.
- Blocking spoofed emails, spam and emails with malware in Office 365.
- Ensuring Microsoft Defender for Office 365 is enabled for advanced phishing protection.