Microsoft disrupts major Russian phishing group
Microsoft announced this week that it has taken steps to cripple the Russian-based cybercrime group SEABORGIUM.
In a security blog post on Monday, Microsoft said it disabled email, social media and LinkedIn accounts used by the group for surveillance and phishing activities. The group is believed to be sponsored by the Russian state based on its choice of targets, which included former intelligence officers, Russian citizens abroad and experts in Russian affairs, according to Microsoft.
“SEABORGIUM is a threat actor originating from Russia, with goals and a victimology that closely aligns with the interests of the Russian state,” Microsoft wrote. “Its campaigns involve persistent phishing and credential theft campaigns leading to breaches and data theft.”
Microsoft said it had been monitoring the group’s activities since 2017 and confirmed that the group’s primary motivation was espionage, not financial gain. The company’s security experts had observed that the group was targeting 30 prominent organizations in 2022 alone.
In a breakdown of how the group generally operated, Microsoft said it observed a structured pattern and approach with very little gap between phishing attempts. A targeted victim is monitored using fake social media accounts, usually on LinkedIn, to gain insight into the individual and connected organization.
SEABORGIUM would then create fake email accounts with spoofed pseudonyms and names of associates known to the target. Additionally, in some cases, Microsoft has seen the group recreate inactive or deleted email or social media accounts of known aliases.
The group would then reach out to the target. For individuals, security experts have seen SEABORGIUM take a more personal approach by reaching out with jokes before sending a malicious link. For organizational targets, SEABORGIUM would use an “authoritative approach” to send the malicious link on first contact.
Microsoft saw the malicious link embedded in the body of an email, embedded in an attached PDF, or attached to a PDF in a OneDrive link.
“Regardless of the delivery method, when the target clicks on the URL, the target is directed to a server controlled by an actor hosting a phishing framework, most commonly EvilGinx,” Microsoft wrote. “On occasion, Microsoft has observed the actor’s attempts to evade automated browsing and detonation by fingerprinting browsing behavior.”
If the target follows the link, it redirects to the phishing framework, which impersonates a legitimate provider and asks the victim for authentication credentials, which are then stolen by the group. Along with the stolen credentials, Microsoft observed that the group primarily engaged in email theft to obtain confidential and private data from its targets.
In other moves to circumvent the group, Microsoft also shared data from 69 domains used by the group with other providers, including ProtonMail and Yandex. Microsoft also recommends that users avoid similar attacks with Microsoft’s built-in security features. Some of them include:
- Disable automatic email forwarding in Office 365.
- Blocking spoofed emails, spam, and emails containing malware in Office 365.
- Make sure Microsoft Defender for Office 365 is enabled for advanced phishing protection.