Russian Cyber-Espionage Gang Targets NATO, NGOs, And Think Tanks – Microsoft

Seaborgium has mainly targeted NATO countries, particularly the US and the UK, and occasionally attacked Baltic states, Nordic countries, and Eastern Europe.

Such targeting has included the government sector of Ukraine in the months leading up to the invasion by Russia and organizations involved in supporting roles for the war in Ukraine.

Since the beginning of 2022, the threat actor targeted over 30 organizations, in addition to personal accounts of people of interest.

Threat Actors Consolidate Attack On Major Sectors

Seaborgium targeted former intelligence officials, experts in Russian affairs, and Russian citizens abroad. Seaborgium concentrates on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education.

The company claims to have disrupted Seaborgium’s ongoing phishing operations with the help of Google Threat Analysis Group and the Proofpoint Threat Research Team. Microsoft, tracking the group since 2017, said its campaigns involve persistent phishing and credential theft, leading to intrusions and data theft.

Researchers assess that the information stolen during the intrusions likely supports traditional espionage goals and operations. Most likely, Seaborgium uses social media platforms, such as LinkedIn, personal directories, and general open-source intelligence (OSINT) to conduct their reconnaissance of target individuals.

Threat actor also uses legitimate email services to impersonate individuals and establish contact with their target. After establishing contact with the victim, Seaborgium delivers a malicious link to steal the target’s credentials.

Microsoft Claims the Stolen Data Used For Exploitation 

The threat actor uses stolen credentials to sign in to victim email accounts, exfiltrate data, set up persistent data collection, and access the people of interest. There have been several cases where Seaborgium has been observed using their impersonation accounts to facilitate dialog with specific people of interest.

As a result, were included in conversations, sometimes unwittingly, involving multiple parties. What is more, Microsoft observed sporadic Seaborgium’s involvement with information operations.

The actors leaked emails/documents from 2018 to 2022, allegedly stolen from consumer Protonmail accounts. That account, however, belongs to high-level proponents of Brexit, to build a narrative that the participants were planning a coup.

The narrative was amplified using social media and through specific politically themed media sources that garnered quite a bit of reach.