Microsoft has taken on a very strong role – Fighting criminal hackers. The tech giant has been busy creating programs that prevent threat actors from targeting its clients – And now it has taken on the role of protecting NATO countries from Vladimir Putin’s gang of criminals.
Recently, Microsoft brought the fight to SEABORGIUM, a hacking and social engineering Russian threat actor. This hacker mostly identified and targets individuals associated with NATO nations, but was recently stopped in his track by the work of the Microsoft Threat Intelligence Center (MSTIC).
According to Microsoft, SEABORGIUM is a notorious hacker, who predominantly targets NATO nations. However, the top-tiered criminal has also featured in hacking campaigns launched against Ukraine, and countries in the Eastern region of Europe. In addition, cyber security analysts have tracked hacks carried out by the same threat actor against the Baltic, and Nordic regions.
Further analytical reports documented that SEABORGIUM is the same hacker identified as ColdRiver by the Google TAG team. In addition, the prolific Russian hacker is known as TA446 by Proofpoint researchers.
Meanwhile, Russian state-sponsored hackers have been caught red-handed trying to spy on Russians living in other countries, as well as businesses that are tied to Russia. The criminals have been targeting private emails of Russian interest. SEABORGIUM is also notorious for spying on former Russian intelligence officers, and other Russian experts.
In a Microsoft report, the tech company documented that the main targets of SEABORGIUM are primarily defense and intelligence consultancy firms. Other targets include non-governmental and intergovernmental organizations (NGOs), and think tanks. SEABORGIUM has also been linked to hacks launched against mostly top-tiered educational institutions.
Social Engineering Hacks
LinkedIn and other social media platforms are the main sources that SEABORGIUM utilizes to find its list of targeted entities and individuals. The hacker’s social engineering effort includes the use of email, which is used to target the identities generated from online social media accounts.
The threat actors’ next Modus Operandi involves approaching the potential targets using fictitious identities. Next, after initiating contact, the hackers quickly establish a rapport with their victims, after which the criminal transmits a phishing attachment to the unsuspecting victims’ email addresses.
Microsoft’s research team documented their observation where threat actors had disseminated their maliciously coded attachments to victims’ emails through PDF file attachments. These files are owned by the hackers, with the links redirecting to file hosting websites, or hosted on OneDrive accounts.
The security team noted that even enabling 2FA security cannot prevent the threat actors from hacking compromised accounts, once they have stolen the accounts’ authentication tokens. According to Microsoft, access to the targeted email accounts allows hackers to forward incoming emails to their accounts, where they can automatically monitor all correspondence received by the compromised accounts.
Microsoft revealed that the brazen threat actors steal the victim’s identity, and used it to lure other individuals of interest into their trap. According to Google and Microsoft research teams, they discovered the first hacking attempts in May 2022, where the criminals targeted UK political establishments and activists while trying to steal important documents.
In one instance, Microsoft reported that some stolen documents were disseminated online by the SEABORGIUM hacker. The documents that the hackers made public online were stolen from a UK political party.
Microsoft versus SEABORGIUM
Microsoft claimed its security team have disabled accounts that SEABORGIUM had utilized in its hacking campaigns. In addition, SEABORGIUM’s activities are linked to 69 domains connected to phishing scams that steal the login information for Microsoft, ProtonMail, and Yandex accounts.
Accordingly, Microsoft has made available a list of security suggestions such as turning off email auto-forwarding in Microsoft 365 and employing IOCs to find any potential compromise. Also, mandating MFA for all accounts, and utilizing FIDO security keys. In addition, Azure Sentinel hunting queries [1, 2] were made available by Microsoft, so that individuals can search for malicious activities on their email accounts.