The activity is typical of spear-phishing campaigns, where an actor targets a specific individual or group, using information known to be of interest to the targets to engage them. In a spear-phishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.
Research and preparation
Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, SEABORGIUM and TA453 identify hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts. T1589; T1593
They have also created fake social media or networking profiles that impersonate respected experts T1585.001, and used supposed conference or event invitations, as well as false approaches from journalists.
Both SEABORGIUM and TA453 use webmail addresses from different providers (including Outlook, Gmail and Yahoo) in their initial approach T1585.002, impersonating known contacts of the target or eminent names in the target’s field of interest or sector.
The actors have also created malicious domains resembling legitimate organisations to appear authentic T1583.001. Microsoft Threat Intelligence Center (MSTIC) provide a list of observed Indicators of Compromise (IOCs) in their SEABORGIUM blog, although this should not be considered as exhaustive.
Preference for personal email addresses
SEABORGIUM and TA453 have predominantly sent spear-phishing emails to targets’ personal email addresses, although targets’ corporate or business email addresses have also been used. The actors may use personal emails to circumvent security controls in place on corporate networks.
Building a rapport
Having taken the time to research their targets’ interests and contacts to create a believable approach, SEABORGIUM and TA453 now start to build trust. They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport.