Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft Announces Disruption of Russian Espionage APT

Microsoft on Monday announced another major disruption of an APT actor believed to be linked to the Russian government, cutting off access to accounts used for pre-attack reconnaissance, phishing, and email harvesting.

Microsoft on Monday announced another major disruption of an APT actor believed to be linked to the Russian government, cutting off access to accounts used for pre-attack reconnaissance, phishing, and email harvesting.

The threat actor, identified by Microsoft as SEABORGIUM, has been documented since at least 2017 actively conducting cyberespionage attacks against military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. 

Redmond’s security research and threat hunting teams partnered with abuse teams in Microsoft to disable OneDrive and other Microsoft-linked accounts and beef up its Defender SmartScreen technology to block phishing domains.

In a note announcing the disruption, Microsoft also exposed the Russian threat actor’s malware infrastructure and released IoCs (indicators of compromise) to help defenders hunt for signs of infections.

Based on IOCs and actor tactics, Microsoft confirmed SEABORGIUM overlaps with previously published documentation from Google (codename COLDRIVER) and F-Secure (codename Callisto Group) and warned that the APT group’s objectives and victimology align closely with Russian state interests.

[ READ: Microsoft, Symantec Share Notes on Russian Hacks Hitting Ukraine ]

Microsoft said the group abused the OneDrive service and fake LinkedIn accounts in campaigns that include persistent phishing, credential theft and data theft. 

From Microsoft’s documentation:

Advertisement. Scroll to continue reading.

Based on some of the impersonation and targeting observed, we suspect that the threat actor uses social media platforms, personal directories, and general open-source intelligence (OSINT) to supplement their reconnaissance efforts.


MSTIC, in partnership with LinkedIn, has observed fraudulent profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest. In accordance with their policies, LinkedIn terminated any account identified as conducting inauthentic or fraudulent behavior.

In addition to reconnaissance on LinkedIn, Microsoft caught the threat actor registering email accounts at consumer email providers for the specific purpose of impersonating individuals for add-on phishing lures.

[ READ: Microsoft Connects USB Worm Attacks to ‘EvilCorp’ Ransomware ]

The SEABORGIUM actor has been observed embedding malicious links and PDF files into the body of phishing emails and using OneDrive to host booby-trapped documents.

The group has also been caught using stolen credentials to directly sign-in to victim email accounts and stealing emails and attachments from compromised inboxes.

In limited cases, Microsoft warned that SEABORGIUM set up forwarding rules from victim inboxes to actor-controlled dead drop accounts where the actor has long-term access to collected data. 

“On more than one occasion, we have observed that the actors were able to access mailing-list data for sensitive groups, such as those frequented by former intelligence officials, and maintain a collection of information from the mailing-list for follow-on targeting and exfiltration,” the company added..

Related: Microsoft, Symantec Share Notes on Russian Hacks Hitting Ukraine

Related: Microsoft: Cyberattacks in Ukraine Hitting Civilian Digital Targets

Related: Microsoft Connects USB Worm Attacks to ‘EvilCorp’ Ransomware

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.