The UK’s National Cyber Security Centre (NCSC) has warned that Russian and Iranian state-sponsored hackers have used spear phishing attacks to execute information-gathering operations.
Spear phishing is a targeted form of phishing where the attacker uses specific information about the victim to personalise their attack. This method of attack is considerably more effective than generic mass email campaigns.
The nation’s cybersecurity agency has also seen an increase in spear-phishing attacks linked to threat actors labelled as SEABORGIUM and TA453. NCSC said the hackers often target people working on projects involving Russia and Iran.
SEABORGIUM, also known as ‘TA446,’ is a Russian state-sponsored threat organisation that recently attacked NATO countries.
According to U.K. NCSC report:
Although there is similarity in the TTPs (techniques, tactics, and procedures) and targeting profiles, these campaigns are separate, and the two groups are not collaborating. The attacks are not aimed at the general public but targets in specified sectors, including academia, defence, government organizations, NGOs, think tanks, as well as politicians, journalists, and activists.
Microsoft disabled the internet accounts the group was using in August, which slowed down their activity but did not completely stop the attacks.
The Islamic Revolutionary Guard Corps (IRGC), the main branch of the Iranian Armed Forces, is thought to be the base of operations for the Iranian threat organisation TA453, also known as APT42. In the Middle East, the actor has previously been seen faking journalists and directing his attacks at academics and policy experts.
Attacks Using Spear Phishing
The National Cyber Security Centre (NCSC) provided information in a public advisory regarding the methods and strategies employed by the attackers. The threat actors carry out reconnaissance using open-source tools, such as networking platforms (like LinkedIn), to learn enough with their targets to create effective social engineering scenarios.
In most cases, hackers try to gain the trust of their target by pretending to be someone who is likely to contact them, such a journalist, to trick them into clicking a malicious link. This technique can take place over the course of multiple emails and other online conversations.
The attackers also create malicious URLs that spoof real businesses, often those with interests similar to the target’s, to boost their chances of success.
Once the attackers established a connection with the victim, they sent the victim a link that redirects to a phishing website. Following a successful attack, the attackers can view the victim’s whole history of previous chats and obtain their email user credentials.
Additionally, the attackers installed mail-forwarding rules on the victim’s email account, allowing any upcoming communications between the victim and their contacts to be automatically shared with them.
The Russian and Iranian governments have not been officially blamed, despite the fact that both organisations are thought to be state-directed and involved in what are being called cyber espionage activities. The foreign secretary or other Foreign Office ministers are the ones who give such assumptions when they do.
NCSC Recommendation and Mitigation
The NCSC warns people to be particularly careful when they get plausible-sounding emails from strangers using Gmail, Yahoo, Outlook, or other webmail accounts, often spoofing known connections of the target collected from social media.
For any online service, the NCSC advises using strong and unique passwords, and enabling multi-factor authentication (MFA) security wherever it is possible. NCSC further recommends that potential targets enable their email providers’ automatic email scanning tools and block any mail-forwarding restrictions.
The Centre for the Protection of National Infrastructure’s (CPNI) ‘Think Before You Link’ application is also designed to help users in identifying fraudulent online accounts and reducing the danger of being targeted.
Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.