Hostile advanced persistent threat (APT) groups aligned with the national interests of Iran and Russia are targeting UK nationals including academics, activists, charity and NGO workers, defence and government officials, journalists, and politicians, with carefully crafted and highly targeted spear-phishing emails, according to new intelligence from the UK’s National Cyber Security Centre (NCSC).
The distinct yet technically similar campaigns are attributed with relative confidence to Iran’s TA453, which also goes by Charming Kitten among other names, and Russia’s Seaborgium, which also goes by Cold River and was recently linked to an attack on former MI6 chief Richard Dearlove and a group of hard Brexit advocates, and an incident targeting US nuclear scientists.
The ongoing pattern of cyber activity is suspected, although not confirmed by the NCSC, to be linked to intelligence gathering in support of the goals of the APTs’ supposed government paymasters in Tehran and Moscow.
It is relatively small in scale and does not pose an immediate threat to the majority of the British public in the grand scheme of things, according to the NCSC’s operations director, Paul Chichester, who said it was more the sophistication of the attacks, rather than the volume, that was a worry.
“The UK is committed to exposing malicious cyber activity alongside our industry partners, and this advisory raises awareness of the persistent threat posed by spear-phishing attacks,” he said.
“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.
“We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online.”
The NCSC is today issuing a new advisory addressed directly to potential victims – something it only generally does when it is relatively certain there is an urgent need to conduct outreach towards vulnerable organisations or individuals, so its findings are worth noting.
The two spear-phishing campaigns observed both deploy relatively similar elements of cyber tradecraft, particularly when it comes to spear-phishing techniques.
Contact will generally appear benign and may seem to originate from legitimate contacts, as the groups look to gain the confidence and trust of their intended victims. The lures observed included fake invitations to conferences or events.
Approaches are being made via email, social media and professional networks, but notably in this instance, TA453 and Seaborgium have been seen targeting the personal email accounts of their victims, as opposed to official work accounts.
The NCSC believes this tactic may present an easier route in for the attackers, taking advantage of people being more inclined to trust people to whom they have given their personal email address, or being less on their guard when using personal services. It can also help them bypass email security controls that may be in place on organisational networks.
The email correspondence may also appear to be part of an ongoing thread, and in some instances, these groups have even been observed adopting multiple personas to create convincing email threads, which helps build a rapport and presents a narrative that the victim may be more inclined to respond to.
Sharing malicious content
Ultimately, the objective of the campaigns is to share malicious documents or links to phishing websites that can lead to downstream credential theft and compromise. In the observed campaigns, many of these links were disguised as Zoom meeting URLs.
The NCSC emphasised that while the two campaigns share many similarities, it has found no evidence that they are linked, or that TA453 and Seaborgium have been collaborating.
The NCSC is advising people working in targeted industries to be particularly vigilant, and to adopt a set of basic cyber security principles that can vastly reduce their chances of being compromised.
These include using strong and separate passwords across email accounts, activating multi-factor authentication wherever possible, keeping devices and networks patched and up to date, enabling automated email scanning features from providers, and disabling mail forwarding. Additionally, as always, it is important to maintain a healthy degree of scepticism when opening unexpected emails, even if they seem to be from a close contact.
The Centre for the Protection of National Infrastructure also maintains an application, Think Before You Link, which can help individuals identify malicious online profiles and cut the risk of being targeted.