Tue | Aug 16, 2022 | 4:00 PM PDT

The Microsoft Threat Intelligence Center (MSTIC) announced that it took disruptive actions against a Russia-based cyber threat actor known as Seaborgium.

Microsoft has tracked the threat actor since 2017 and says that its objectives and victimology closely align with the state interests of Russia. Seaborgium's campaigns typically involve phishing and credential theft, which lead to intrusions and data breaches.

The MSTIC says that while it could not rule out the threat actor had current or prior connections to criminal and other nonstate enterprises, it did determine the information gathered during its campaigns likely supports traditional espionage objectives and information operations as opposed to financial motivations.

What is Seaborgium and who does it target?

Microsoft describes the Russian threat actor's activity:

"SEABORGIUM is a highly persistent threat actor, frequently targeting the same organizations over long periods of time. Once successful, it slowly infiltrates targeted organizations' social networks through constant impersonation, rapport building, and phishing to deepen their intrusion.

SEABORGIUM has successfully compromised organizations and people of interest in consistent campaigns for several years, rarely changing methodologies or tactics."

Throughout 2022, the MSTIC observed Seaborgium campaigns targeting more than 30 organizations, on top of targeting the personal accounts of persons of interest. 

The threat actor primarily targeted NATO countries, most often the United States and the United Kingdom. It also targeted the Ukrainian government in the months leading up to the Russian invasion, as well as any organizations that were involved in supporting Ukraine.

However, even though the actor has very close ties with Russia, Microsoft believes that Ukraine is not a primary target of Seaborgium, rather it is "a reactive focus area for the actor and one of many diverse targets."

When Seaborgium targets nation states, it focuses its operations on things like defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education.

Microsoft has even observed it targeting former intelligence officials, specifically those familiar with Russian affairs and Russian citizens who are abroad.

Seaborgium cyber campaigns

Seaborgium often uses impersonation to conduct reconnaissance of certain individuals to first establish contact. For example, the actor created this fraudulent LinkedIn profile to conduct industry-specific reconnaissance:

A screenshot of a LinkedIn profile identified for fraudulent behavior. The fake profile uses the name Westley Dyck, who allegedly identifies as a research assistant.

Another example would be this phishing email that was used earlier this year, in which it impersonated the leader of an organization and emailed select employees with a cybersecurity themed lure:

A screenshot of a phishing email sent by SEABORGIUM to their target. The email impersonates the lead of an organization and informs the recipient of possible attackers against their organization. The email then tells the recipient to open an attached PDF file, disguised as analytical material for safety and informational awareness.

Then, like many other forms of cyberattacks, they deliver malicious content to the intended target, such as a URL or PDF attachment to an email. 

The MSTIC continues to discuss data exfiltration and impact on the organization, and notes three common activities of Seaborgium:

  • Exfiltration of intelligence data: Seaborgium has been observed exfiltrating emails and attachments from the inbox of victims.

  • Setup of persistent data collection: In limited cases, Seaborgium has been observed setting up forwarding rules from victim inboxes to actor-controlled dead drop accounts where the actor has long-term access to collected data. On more than one occasion, we have observed that the actors were able to access mailing-list data for sensitive groups, such as those frequented by former intelligence officials, and maintain a collection of information from the mailing-list for follow-on targeting and exfiltration.

  • Access to people of interest: There have been several cases where Seaborgium has been observed using their impersonation accounts to facilitate dialog with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties. The nature of the conversations identified during investigations by Microsoft demonstrates potentially sensitive information being shared that could provide intelligence value.

For additional information on Seaborgium and recommended actions for Microsoft customers, see the report from the MSTIC.