On Thursday, the U.K. National Cyber Security Centre (NCSC) issued a warning about spear-phishing attacks carried out by state-sponsored actors in Iran and Russia.
SEABORGIUM (also known as Callisto, COLDRIVER, and TA446) and APT42 were blamed by the agency for the intrusions (aka ITG18, TA453, and Yellow Garuda). Despite the parallels in the ways the two organisations operate, there is no proof that they are working together.T
his behaviour is characteristic of spear-phishing tactics, in which the threat actors send communications that are personalised to the targets while also taking the time to learn about their interests and determine their social and professional networks.
Before moving on to the exploitation stage, the initial interaction can last for weeks and is intended to seem innocent in an effort to win their trust.
Malicious links are one way of doing this, and they have the potential to cause credential theft, further compromise, and even data exfiltration.
According to reports, the rival teams used phoney profiles on social media sites to pose as journalists and experts in their fields in order to dupe victims into clicking on the links
.The targets’ email accounts are then accessed and sensitive data is accessed using the stolen credentials, which are also used to set up mail-forwarding policies and keep track of victim correspondence.
The SEABORGIUM organisation, which is supported by the Russian government, has a history of carrying out its credential harvesting attacks by setting up phoney login pages that imitate reliable defence firms and nuclear research facilities.
According to reports, APT42, the espionage branch of Iran’s Islamic Revolutionary Guard Corps (IRGC), collaborates with PHOSPHORUS and is a component of a broader organisation known as Charming Kitten.I
n order to interact with its targets, the threat actor, like SEABORGIUM, is known to pose as journalists, research institutions, and think tanks. It uses a constantly-evolving toolkit of strategies to suit the IRGC’s shifting priorities.
Business security company Proofpoint revealed that use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies in December 2022, describing it as a departure from the expected phishing activity.
These campaigns by threat actors based in Russia and Iran continue to follow their targets ruthlessly in an attempt to steal online credentials and compromise potentially sensitive systems