The UK’s National Cyber Security Centre (NCSC) has recently issued a warning that Iranian and Russian state-sponsored threat operators are increasingly targeting British individuals and organisations.

Specifically, the UK agency has discovered a rise in spear-phishing attacks they have attributed to two malicious actors currently tracked as APT42 and SEABORGIUM. The main objective of both these campaigns is to collect data from selected targets.

The NCSC explained, however, that the two threat operators are not working together in their efforts:

“Although there is similarity in the TTPs (techniques, tactics, and procedures) and targeting profiles, these campaigns are separate, and the two groups are not collaborating. The attacks are not aimed at the general public, but targets in specified sectors, including academia, defence, government organisations, NGOs, think tanks, as well as politicians, journalists, and activists.”

State-funded attack groups from overseas

Sometimes referred to as “TA446”, SEABORGIUM is a threat group with Russian state sponsorship that made headlines last year when it targeted NATO countries during the summer. While tech giant Microsoft disrupted the threat group’s operations in August when it disabled the online accounts employed in these malicious activities, the decisive action still failed to stop the hackers entirely.

APT42 (Advanced Persistent Threat 42), also known as TA453, is another threat group, this time based in Iran. Experts believe it operates from inside the Islamic Revolutionary Guard Corps (IRGC) – the Iranian armed forces core branch. The malicious actor has a previous record of impersonating journalists and targeting policy experts and academics throughout the Middle East.

Targeted attacks and mitigation

The recent advisory from the NCSC explains how the groups conduct reconnaissance by taking advantage of open-source resources, such as popular networking services like LinkedIn, to harvest enough unique and personal data on their targets and construct believable social engineering ploys.

Both attack groups create several fake accounts designed to impersonate journalists and experts, and often send spoof emails to targets via Gmail, Outlook and Yahoo.

To improve their success rate, the hackers also set up malicious domains that can perfectly mimic genuine organisations, which are included in the victim’s area of interest to convince them of legitimacy.

After the threat actors establish a rapport with their target, they share a harmful link that directs the victim to a phishing site where the user’s email account credentials can be stolen. This affords the attackers access to the entire archive containing recent communications initiated and received by the target.

Additionally, the hackers configure mail-forwarding rules in the user’s email account. As a result, all future correspondence is shared with them automatically.

This stealthy tactic removes any need to continuously log into the target’s email account. Doing this could risk raising an alarm while messages arrive in the victim’s inbox, highlighting the sophistication of the threat

To mitigate the rising threat, the NCSC advises using long and strong unique passwords for all online services, as well as activating multi-factor authentication protection wherever possible.

Furthermore, it suggests that possible targets enable automated scanning features on their email and disable any mail-forwarding rules.