Cybersecurity experts from Microsoft Threat Intelligence Center (MSTIC) have disrupted the infrastructure of a nefarious APT responsible for long-lasting cyberespionage activities aimed at targets within NATO countries. The group, dubbed SEABORGIUM, launched multiple phishing, data theft, and hack-and-leak campaigns to spy on defense contractors, NGOs, IGOs, think tanks, and educational institutions, allegedly on-behalf of russian government.
In a view of the growing sophistication and scale of APT attacks, it is important to have detection content timely at hand to defend against intrusions proactively. Grab a Sigma rule below provided by our keen Threat Bounty developer Nattatorn Chuensangarun to identify the hack-and-leak campaigns associated with SEABORGIUM APT. In addition to Sigma rule, you will access related MITRE ATT&CK references, CTI links, and contextual metadata to get a holistic vision of the attack surface.
The Sigma rule above has translations to 19 SIEM, EDR & XDR formats and is aligned with MITRE ATT&CK® framework addressing the Initial Access tactic with Phishing (T1566) applied as its primary technique.
Obtain the full list of Sigma rules to detect malicious activities associated with advanced persistent threats (APTs) by hitting the Detect & Hunt button. Cyber defenders can also browse our Cyber Threats Search Engine to get relevant detections enhanced with a broad range of contextual information, including CTI links, MITRE ATT&CK references, and other metadata. Just press the Explore Threat Context Button to dive in!
According to the inquiry by MSTIC, SEABORGIUM is a russian state-sponsored APT group operating in the wild since at least 2017. The analysis shows significant similarities in tactics and tools with COLDRIVER APT and Callisto Group, both closely aligned with Moscow’s political interests.
Acting on behalf of the russian state, SEABORGIUM APT is responsible for multiple long-lasting malicious campaigns aimed at spying on defense contractors, government agencies, non-governmental organizations, and think tanks across Europe.
Typically, adversaries infiltrate the targeted organization gradually and carefully with the help of various impersonation techniques, phishing, and social engineering. Specifically, SEABORGIUM APT put a lot of effort into inspecting victims’ identities through establishing rapport and long-lasting conversations via fake social media accounts. Those fake accounts are further used to disseminate malicious PDF attachments or phishing links to booby-trapped documents hosted on OneDrive. If targeted individuals fall into the trap and open the attachment, they are redirected to webpages running phishing frameworks like EvilGinx, which can grab users’ credentials. Upon accessing the victim’s assets, SEABORGIUM exfiltrates the intelligence data, surfs across accounts of interest, and dumps sensitive information.
Adepts at cybersecurity are welcome to sign up for free at SOC Prime’s Detection as Code platform to detect the latest threats, improve the log source and MITRE ATT&CK coverage, and actively contribute to boosting their organization’s cyber defense capabilities. Promising Detection Engineers can join forces with the Threat Bounty Program – SOC Prime’s crowdsourcing initiative, to share our dedication to cooperating in achieving high standards of cybersecurity processes and raising resilience in the face of continuously emerging threats.