Microsoft warns against Russian phishing group ‘wanting to determine narrative’
Microsoft warns against the Russian phishing group Seaborgium, also known as Cold River. The group focuses on governments and other organizations and tries to ‘determine the narrative’ in countries with stolen data.
Seaborgium has infiltrated various organizations and stakeholders in recent years, writes Microsoft. Since 2022, the organization is said to have focused on more than 30 organizations and, among other things, on the personal accounts of those involved. The group is mainly focused on NATO countries, specifically the United Kingdom and the United States. Ukraine has also been a target of Seaborgium in the months leading up to the Russian invasion, Microsoft says. The group mainly focuses on defense and intelligence consultancy companies, NGOs, IGOs, think tanks and higher education.
The American company does not actually speak at Seaborgium about state hackers, but says that the group comes from Russia and has “objectives and victims that align with Russian interests”. Microsoft’s Threat Intelligence Center, Mstic, says information collected by Seaborgium “probably supports espionage work and the group is believed to have no financial motive.”
Microsoft has been tracking Seaborgium since 2017 and says the group’s tactics have barely changed in that time. Seaborgium follows a target for a long time and infiltrates it slowly. For example, the group tries to pose as employees of companies in order to gain access to the systems of a company or organization with phishing emails. In some cases, Seaborgium initiates an email conversation with a victim to slowly build trust; in other cases, the group immediately starts phishing.
Seaborgium uses different methods for phishing. For example, the group uses URLs to link to rogue sites, or PDFs and OneDrive files with error messages. Those error messages require the user to press a button to try again and then be redirected to another site. This site, which is managed by the group, requires users to enter their login details, after which Seaborgium can use them themselves.
After Seaborgium has obtained the login details, the group collects data and tries to set forwards so that they receive new mails automatically. In addition, Seaborgium tries to obtain more information about other people within the organization. In certain cases, the group has made information collected publicly available. For example, in May it was announced that Seaborgium leaked emails and documents from Brexit proponents from 2018. With that data, Seaborgium created the story that the Brexit proponents were preparing a coup.
Microsoft warns people to be careful with such leaked information, because it is not known whether the documents have been manipulated to enhance or create a story. Microsoft therefore does not share the leaked content. The company does share a list of domain names that the group uses in its phishing attempts.
An example of how Seaborgium tries to phishing a target