Russian Threat Group, Initiate Credential Harvesting Campaign Across Many Verticals

Category: Threat Actor Activity | Industries: Aerospace, Defense, Government, Logistics, Military, Non-Government Organizations (NGOs), Technology, Telecommunications, Think Tanks | Level: Strategic | Source: Recorded Future

Recorded Future's research team Insikt Group, tracked activity from Russian threat group TAG-53, who has been spoofing the Microsoft login page of a United States military weapons and hardware supplier as part of a credential harvesting campaign. Activity from TAG-53 overlaps with those from Callisto Group, COLDRIVER, and SEABORGIUM, which is aligned with the Russian state's strategic interests. "Insikt Group has observed the recurring use of common traits by TAG-53 when curating its infrastructure, including the use of domain names employing a specific pattern construct along with Let’s Encrypt TLS certificates, the use of a specific cluster of hosting providers, and the use of a small cluster of autonomous systems." Domain registrars commonly used in TAG-53's infrastructure are Porkbun, NameCheap, regway, and REG[.]RU. Based on other domains tied to TAG-53, other verticals targeted include entities in aerospace, defense, government, logistics, non-government organizations (NGOs), telecommunications, and technology.

‍