Microsoft warns of Russian phishing group that ‘wants to determine narrative’

Microsoft warns of the Russian phishing group Seaborgium, also known as Cold River. The group targets governments and other organizations, and tries to ‘determine the narrative’ in countries with stolen data.

Seaborgium has infiltrated various organizations and stakeholders in recent years, writes Microsoft. Since 2022, the organization is said to have focused on more than 30 organizations and, among other things, on the personal accounts of those involved. The group is mainly aimed at NATO countries, specifically the United Kingdom and the United States. Ukraine has also been a target of Seaborgium in the months leading up to the Russian invasion, Microsoft says. The group mainly focuses on defense and intelligence consultancy companies, NGOs, igos, think tanks and higher education.

The American company does not actually talk about state hackers at Seaborgium, but says that the group comes from Russia and “has objectives and victims that are in line with Russian interests.” Microsoft’s Threat Intelligence Center, Mstic, says information gathered by Seaborgium “likely supports espionage work and the group is believed to have no financial motive.”

Microsoft has been tracking Seaborgium since 2017 and says the group’s tactics have barely changed in that time. Seaborgium follows a target for a long time and slowly infiltrates it. For example, the group tries to pose as employees of companies in order to gain access to the systems of a company or organization with phishing emails. In some cases, Seaborgium initiates an email conversation with a victim to slowly build trust; in other cases, the group immediately starts the phishing.

Seaborgium uses various methods for phishing. For example, the group uses URLs to link to malicious sites, or PDFs and OneDrive files with error messages. With those errors, the user has to press a button to try again, after which he is redirected to another site. On this site, which is managed by the group, users must enter their login details, after which Seaborgium can use them themselves.

After Seaborgium has obtained the login details, the group collects data and tries to set up forwards so that it receives new emails automatically. In addition, Seaborgium tries to obtain more information about other people within the organization. In certain instances, the group has disclosed information collected publicly. That was announced in May Seaborgium leaked emails and documents from Brexit supporters from 2018. With that data, Seaborgium created the story that the Brexit proponents were preparing a coup.

Microsoft warns people to be careful with such leaked information, as it is not known whether the documents have been manipulated to enhance or create a narrative. Microsoft therefore does not share the leaked content. The company does share a list of domain names that the group uses in its phishing attempts.

An example of Seaborgium trying to phish a target