The company calls the group “Seaborgium” and says it has actively been working to steal information from NATO nations, such as the UK and US. Sometimes, the group makes the data it steals public to create disinformation campaigns. According to the Microsoft Threat Intelligence Center (MSTIC), Seaborgium is using Microsoft OneDrive to reach victims. For example, the group lures unwitting users through impersonation of service attachments or through PDFs with links to attack URLs. “The victim is presented with what appears to be a failed preview message, enticing the target to click the link to be directed to the credential-stealing infrastructure. Occasionally, Seaborgium makes use of open redirects within the PDF file to further disguise their operational infrastructure,” Microsoft points out. When a user interacts with the link, they get sent to the system used to steal credentials. The group can trick users through a login page designed to look like legitimate providers. “Seaborgium intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries,” MSTIC adds.
Links with Russia
It is worth noting Seaborgium is not a new threat. Microsoft has been tracking the group since 2017. Although, 2022 has been a prosperous year for the group, with attacks on 30 organizations so far this year. Alongside those corporate attacks, the group is also continuously targeting personal accounts. Interesting, MSTIC does not point the finger directly at the Russian government for sponsoring the group, although the message from the security team is hardly vague: “Seaborgium is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests,” explains MSTIC. Tip of the day: Having problems with pop-ups and unwanted programs in Windows? Try the hidden adware blocker of Windows Defender. We show you how to turn it on in just a few steps.