
Microsoft has disrupted a prolific Russian state-backed highly persistent threat group called Seaborgium (aka Callisto Group, ColdRiver, TA446) known for conducting long-running cyber-espionage campaigns against mainly NATO countries.
Microsoft disabled the group accounts used for reconnaissance, phishing, and email collection, and updated detections against its phishing domains in Microsoft Defender SmartScreen.
Once successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion, Seaborgium has successfully compromised organizations and people of interest in consistent campaigns for several years, rarely changing methodologies or tactics.
Microsoft statement
Seaborgium, targeted over 30 organizations: mainly defense and intelligence consulting companies, NGOs and IGOs, think tanks, and higher education. The group also targets individuals such as former intelligence officials and Russian citizens living abroad, Microsoft said.
Once after the initial reconnaissance on its targets, it tries to establish rapport by contacting them on social media. Soon after, it will send a phishing email purporting to contain content of interest to the recipient.
Malicious URLs may be in the body of the email, a clickable button designed to open an attachment, or a OneDrive link which takes the user to a PDF file containing a URL. The ultimate goal is credential theft and then data exfiltration.
Regardless of the method of delivery, when the target clicks the URL, the target is directed to an actor-controlled server hosting a phishing framework. Microsoft has observed attempts by the actor to evade automated browsing and detonation by fingerprinting browsing behavior
Microsoft explained
Once the target is redirected to the final page, the framework prompts the target for authentication, mirroring the sign-in page for a legitimate provider and intercepting any credentials. After credentials are captured, the target is redirected to a website or document to complete the interaction.
Once Seaborgium has access to the victim’s email account, it will look to exfiltrate intelligence data and, on occasion, approach other people of interest via these compromised accounts to access sensitive info.
Remediation actions
- Office 365 email filtering settings to be checked for ensuring a is in place for block spoofed emails, spam, and emails with malware.
- Configure Office 365 to disable email auto-forwarding.
- Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
- Require multifactor authentication (MFA) for all users as default, FIDO Tokens or Microsoft Authenticator
- Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
Indicators of Compromise
- cache-dns[.]com
- cache-dns-forwarding[.]com
- cache-dns-preview[.]com
- cache-docs[.]com
- cache-pdf[.]com
- cache-pdf[.]online
- cache-services[.]live
- cloud-docs[.]com
- cloud-drive[.]live
- cloud-storage[.]live
- docs-cache[.]com
- docs-forwarding[.]online
- docs-info[.]com
- docs-shared[.]com
- docs-shared[.]online
- docs-view[.]online
- document-forwarding[.]com
- document-online[.]live
- document-preview[.]com
- documents-cloud[.]com
- documents-cloud[.]online
- documents-forwarding[.]com
- document-share[.]live
- documents-online[.]live
- documents-pdf[.]online
- documents-preview[.]com
- documents-view[.]live
- document-view[.]live
- drive-docs[.]com
- drive-share[.]live
- goo-link[.]online
- hypertextteches[.]com
- mail-docs[.]online
- officeonline365[.]live
- online365-office[.]com
- online-document[.]live
- online-storage[.]live
- pdf-cache[.]com
- pdf-cache[.]online
- pdf-docs[.]online
- pdf-forwarding[.]online
- protection-checklinks[.]xyz
- protection-link[.]online
- protectionmail[.]online
- protection-office[.]live
- protect-link[.]online
- proton-docs[.]com
- proton-reader[.]com
- proton-viewer[.]com
- relogin-dashboard[.]online
- safe-connection[.]online
- safelinks-protect[.]live
- secureoffice[.]live
- webresources[.]live
- word-yand[.]live
- yandx-online[.]cloud
- y-ml[.]co
- docs-drive[.]online
- docs-info[.]online
- cloud-mail[.]online
- onlinecloud365[.]live
- pdf-cloud[.]online
- pdf-shared[.]online
- proton-pdf[.]online
- proton-view[.]online
- office365-online[.]live
- doc-viewer[.]com
- file-milgov[.]systems
- office-protection[.]online