Microsoft disrupts phishing campaigns launched by SEABORGIUM

SEABORGIUM, a highly persistent Russia-based threat actor, has successfully compromised organizations and people of interest in consistent campaigns for several years. Microsoft says it has been observing SEABORGIUM campaigns targeting over 30 organizations, in addition to personal accounts of people of interest, since the beginning of 2022.

The Microsoft Threat Intelligence Center (MSTIC) has taken actions to disrupt the actor's ongoing phishing operations. Microsoft joined forces with the Google Threat Analysis Group (TAG) and the Proofpoint Threat Research Team to track and disrupt this actor.

According to MSTIC, SEABORGIUM's campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. Its intrusions have also been linked to hack-and-leak campaigns - where stolen and leaked data is used to shape narratives in targeted countries.

Once successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion. Within the target countries, SEABORGIUM primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education.

The actor has a high interest in targeting individuals as well, with 30% of Microsoft's nation-state notifications related to SEABORGIUM activity being delivered to Microsoft consumer email accounts. It has been observed targeting former intelligence officials, experts in Russian affairs, and Russian citizens abroad.

"Microsoft's ability to detect and track SEABORGIUM's abuse of Microsoft services, particularly OneDrive, has provided MSTIC sustained visibility into the actor's activities and enabled us to notify impacted customers. As an outcome of these service abuse investigations, MSTIC partnered with abuse teams in Microsoft to disable accounts used by the actor for reconnaissance, phishing, and email collection," the company said.

Microsoft has shared a detailed analysis of SEABORBIUM's operational tactics as well as several examples of their campaigns in this blog post.The blog also provides security considerations to mitigate the techniques used by the actor.