Russian Threat Group, Initiate Credential Harvesting Campaign Across Many Verticals
Russian Threat Group, Initiate Credential Harvesting Campaign Across Many Verticals
Recorded Future's research team Insikt Group, tracked activity from Russian threat group TAG-53, who has been spoofing the Microsoft login page of a United States military weapons and hardware supplier as part of a credential harvesting campaign. Activity from TAG-53 overlaps with those from Callisto Group, COLDRIVER, and SEABORGIUM, which is aligned with the Russian state's strategic interests. "Insikt Group has observed the recurring use of common traits by TAG-53 when curating its infrastructure, including the use of domain names employing a specific pattern construct along with Let’s Encrypt TLS certificates, the use of a specific cluster of hosting providers, and the use of a small cluster of autonomous systems." Domain registrars commonly used in TAG-53's infrastructure are Porkbun, NameCheap, regway, and REG[.]RU. Based on other domains tied to TAG-53, other verticals targeted include entities in aerospace, defense, government, logistics, non-government organizations (NGOs), telecommunications, and technology.