Advanced Persistent Threat groups continue their respective spear-phishing campaigns against targets of interest

Overview

The NCSC released an advisory pertaining to the following Advanced Persistent Threat groups who have enhanced their spear-phishing attack efforts against organisations and individuals in the UK:

• Russia-based SEABORGIUM (Callisto Group/TA446/COLDRIVER/TAG-53)
• Iran-based TA453 (APT42/Charming Kitten/Yellow Garuda/ITG18)

Throughout the 2022 calendar year, the threat groups were detected targeting a variety of industry sectors and individuals including:

• Education
• Defence
• Governmental Organisations
• NGOs
• Think-tanks
• Politicians
• Journalists
• Activists

It should be noted that both groups utilise a similar set of Tactics, Techniques, and Procedures (TTPs) and targeting profiles. However, no known collaboration exists between the groups.

Attack Outline

Both threat groups implement typical spear-phishing techniques, in which a specific individual or group will be targeted with information known to be of interest to them. The following attack chain is typically followed by both threat actor groups:

• Reconnaissance: Open-Source Intelligence (OSINT) tools will be used to conduct research on the target. This will include gathering details from social media and additional networking platforms, as well as subsequently researching the interests and identity of the target’s personal and professional contacts. The threat actors are known to create fake networking profiles to accomplish this goal. Alternatively, they will create email addresses from numerous providers (E.g., Outlook, Gmail and Yahoo), in order to impersonate the target’s known contacts. Although the attackers can send the malicious spear-phishing email to either the target’s professional or personal email account, they tend to prefer the personal email address option. Their initial aim will be to establish a rapport with the target, by engaging in benign communications on a topic that they hope will be a lure to the victim.
• Delivery of malicious link: Subsequent to establishing trust with the victim, the threat group will send the spear-phishing email via the typical methods, which will appear to direct the victim to a document, download, or a webpage of interest. This will lead to a threat actor-controlled server, requesting the target to enter their account credentials. The malicious link could be a direct URL within the body of the email or embedded within the confines of a document from a file-sharing platform such as: OneDrive or GoogleDrive.
• Post-Exploitation Operations: Assuming that the target interacts with the malicious URL and subsequently enters their credentials, the associated account will be successfully compromised. The threat actors will then proceed to use the stolen credentials to login to the email address of the target, following which, they will engage in a number of operations including, but not limited to: theft of the contents of the victim’s inbox and the formulation of email-forwarding rules, which will provide them with transparency pertaining to the correspondence from the victim. Furthermore, the threat actors have additionally been detected to have accessed the mailing-list data and contact lists of the target email account, in order to engage in further targeting.

Containment, Mitigations & Remediations

The following mitigation steps have been outlined by the National Cyber Security Centre:

• Implement the use strong passwords
• Implement the multi-factor authentication requirement
• Protect your devices and networks by keeping them up to date
• Generally, exercise vigilance with regards to incoming emails
• Enable your email providers’ automated email scanning features
• Disable mail-forwarding

Furthermore, it has been recommended that any activity that is detected, which is compatible with that outlined in this advisory here, should be reported to the NCSC.

Mitre Methodologies

• T1593 – Search Open Websites/Domains
• T1589 – Gather Victim Identity Information
• T1585.001 – Establish Accounts: Social Media Accounts
• T1585.002 – Establish Accounts: Email Accounts
• T1583.001 – Acquire Infrastructure: Domains
• T1586.002 – Compromise Accounts: Email Accounts
• T1078 – Valid Accounts
• T1566.001 – Phishing: Spearphishing Attachment
• T1566.002 – Phishing: Spearphishing Link
• T1114.002 – Email Collection: Remote Email Collection
• T1114.003 – Email Collection: Email Forwarding Rule

Conclusion

The use of the spear-phishing attack vector is common amongst established threat actor groups. However, what is significant regarding SEABORGIUM and TA453, is that they are evolving the process association with these attacks, leading to increasingly sophisticated attack efforts. As such, organizations and individuals ought to maintain a high level of vigilance and follow the recommended defence strategies outlined by the NCSC.

Further Information

NCSC advisory