The SEABORGIUM phishing operation targets organizations with a connection to Russian interests leveraging three different open-source phishing kits, the most prevalent of which has been observed in recently reported phishing attacks.
Context
On August 15, 2022, Microsoft Threat Intelligence Center (MSTIC) researchers disclosed details of a phishing and cyberespionage operation that they disrupted in partnership with the Google Threat Analysis Group (TAG) and the Proofpoint Threat Research Team. Microsoft Researchers attributed the operation to a Russian state-connected threat actor they designate as SEABORGIUM. The hacking operation targeted government, consulting, nonprofit, diplomatic, think-tank, and higher education organizations that primarily reside in the United States, United Kingdom, and additional NATO countries, as well as occasional attacks against Baltic, Nordic, and Eastern European targets. Microsoft researchers noted that the group also targeted high-profile current and former government officials, experts on Russian geopolitics, and Russian citizens abroad.
Impact Analysis
While not directly focused on the retail, hospitality, or travel sectors, this campaign is helpful for analysis in two key ways:
- The operation targeted several organizations publicly perceived to be allied with or supporting Ukraine during the ongoing Russian invasion. Organizations that have taken public stances on the conflict should remain vigilant against threats and open-source discourse related to cyber activity related to the situation, as well as focusing on cyber-hygiene best practices such as regular scans and patching regimens.
- The retail, hospitality, and travel market sectors have experienced a high level of phishing recently from multiple sophisticated actors, especially phishing activity focused on credential harvesting and leveraging EvilGinx. The SEABORGIUM operation fits into this global pattern of increasing sophisticated phishing attacks targeting diverse organizations and using open-source toolkits. As such, organizations in the retail, hospitality, and travel industries should be aware of the campaign from a strategic perspective and are advised to ingest the indicators of compromise (IOCs) included here.
Technical Details
Microsoft tracked this operation for years and has documented a consistent methodology for SEABORGIUM. SEABORGIUM is tracked by different security firms under different names: Callisto Group (F-Secure), TA446 (Proofpoint), and COLDRIVER (Google). The Security Service of Ukraine (SSU) has associated the Callisto Group (F-Secure) with the Gameredon Group (tracked by Microsoft as ACTINUM). Microsoft has not confirmed any connections between ACTINUM and SEABORGIUM.
SEABORGIUM has been observed conducting extensive reconnaissance into targets in order to impersonate known contacts. Threat actors then create new email accounts via multiple providers configured to closely resemble the impersonated party’s contact information. To establish contact, threat actors send emails either asking casual questions or with authoritative language on a professional subject that directs targets to open a malicious file attachment, often a PDF, or click a malicious URL.
SEABORGIUM has been observed sending both malicious files containing malicious links and emails with malicious URLs in the body text of the messages. After clicking, the target is directed to a server hosting a phishing framework, often EvilGinx, which has been used in separate campaigns recently. In other instances, the operation leverages the Murena and Modishka phishing frameworks.
Threat actors often fingerprint target browsing behavior to evade automated browsing and detonation. Targets are then directed to an imposter login page to enter credentials. Once credentials have been harvested, SEABORGIUM actors sign into target email accounts to exfiltrate inbox contents, set up forwarding rules to threat actor accounts for ongoing intelligence collection, and impersonating the target to contact other individuals in the target’s contacts.
Mitigation Options
Microsoft provided the following mitigation actions for Microsoft users:
- Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
- Configure Office 365 to disable email auto-forwarding.
- Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
- Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single-factor authentication, to confirm authenticity and investigate any anomalous activity.
- Require multifactor authentication (MFA) for all users coming from all locations, including perceived trusted environments, and all internet-facing infrastructure–even those coming from on-premises systems.
- Leverage more secure implementations such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
For Microsoft Defender for Office 365 Customers:
- Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants.
- Enable Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
- Configure Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
- Use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns within your organization. Run spear-phishing (credential harvester) simulations to train end-users against clicking URLs in unsolicited messages and disclosing their credentials.
IOCs
Microsoft researchers provided the following IOCs:
Indicator | Type | Notes |
cache-dns[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
cache-dns-forwarding[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
cache-dns-preview[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
cache-docs[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
cache-pdf[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
cache-pdf[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
cache-services[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
cloud-docs[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
cloud-drive[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
cloud-storage[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
docs-cache[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
docs-forwarding[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
docs-info[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
docs-shared[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
docs-shared[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
docs-view[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
document-forwarding[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
document-online[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
document-preview[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
documents-cloud[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
documents-cloud[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
documents-forwarding[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
document-share[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
documents-online[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
documents-pdf[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
documents-preview[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
documents-view[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
document-view[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
drive-docs[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
drive-share[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
goo-link[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
hypertextteches[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
mail-docs[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
officeonline365[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
online365-office[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
online-document[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
online-storage[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
pdf-cache[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
pdf-cache[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
pdf-docs[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
pdf-forwarding[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
protection-checklinks[.]xyz | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
protection-link[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
protectionmail[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
protection-office[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
protect-link[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
proton-docs[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
proton-reader[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
proton-viewer[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
relogin-dashboard[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
safe-connection[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
safelinks-protect[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
secureoffice[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
webresources[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
word-yand[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
yandx-online[.]cloud | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
y-ml[.]co | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
docs-drive[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
docs-info[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
cloud-mail[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
onlinecloud365[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
pdf-cloud[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
pdf-shared[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
proton-pdf[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
proton-view[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
office365-online[.]live | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
doc-viewer[.]com | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
file-milgov[.]systems | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |
office-protection[.]online | Domain name | Phishing Domain leveraged in SEABORGIUM phishing operations |