Increased Levels of Cyber Threat from Russia and Iran
Category: Threat Actor Activity | Industries: Defense, Education, Government, Non-Government Organizations (NGOs), Think Tanks | Level: Strategic | Source: NCSC
The U.K. National Cyber Security Centre (NCSC) warns of increased cyber activity particularly spear-phishing campaigns, from Russian state-sponsored group SEABORGIUM (aka Callisto Group/, COLDRIVER, TA446, TAG-53), and Iran-based APT42 (Charming Kitten, ITG18, TA453, Yellow Garuda), to collect data from individuals and organizations. Campaigns in 2022, showed the threat groups targeting verticals in defense, education, government, non-government organizations (NGOs), and think tanks. Additionally, individuals associated with politics, journalism, and activism were also targeted. Using open-source research, SEABORGIUM and APT42 actors' profile and create social media personas of individuals or entities to lure engagement from their target. As observed from NCSC, the groups created "fake social media or networking profiles that impersonate respected experts, and used supposed conference or event invitations, as well as false approaches from journalists."
Conversations initated by the group are well-constructed on themes and topics to draw the target's interest and build trust. Weblinks are crafted using legitimate file-sharing services such as OneDrive or GoogleDrive. In a few instances, the threat actors can distribute fake Zoom links or during a Zoom call, provide a malicious link in the chat message of the Zoom call. Email credentials are highlighted as the major objective for the groups to set up auto-forward rules to exfiltrate communication data and to leverage the compromised account for other attacks.