UK Warns of Surge in Russian, Iranian APT Phishing Threats

UK Security Agency Says British Civil Society, Defense Organizations at Most Risk
UK Warns of Surge in Russian, Iranian APT Phishing Threats

British civil society and defense organizations are at risk of increased spear-phishing attacks from Russian and Iranian state-sponsored hackers who are actively using advanced social engineering for cyberespionage, the country's national cybersecurity agency warns.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

In an alert released Thursday, the U.K.'s National Cyber Security Center warned that Russian advanced persistent group Seaborgium and Iranian group CharmingKitten are using previously unseen tactics to steal vital information deemed important by the country's intelligence agencies as part of espionage campaigns.

Journalists, nongovernmental organizations, think tanks, defense organizations and academics in the country are at risk of increased cyberattacks, and the agency recommends that these groups proactively watch for any suspicious links sent by email and enable security measures such as multifactor authentication to avoid potential large-scale compromise.

"We strongly encourage organizations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online," says Paul Chichester, the NCSC's director of operations.

Although in the past both Charming Kitten and Seaborgium have used spear-phishing for intelligence gathering, the agency says the latest campaigns are far more sophisticated and use highly personalized tactics to lure the victims into clicking on links.

These include using fake social media accounts of legitimate people to send malicious links - sometimes disguised as Zoom meeting URLs, impersonating Outlook or Yahoo email addresses of familiar contacts and using malicious domains resembling legitimate organizations to target the victims. In one case observed by the NCSC, attackers sent malicious links via Zoom chat to victims.

When victims click on these malicious links, they are redirected to credential-harvesting sites disguised as login pages of legitimate services, the report says. The hackers then use the stolen credentials to access the victim's email, as well as send more malicious links to the victims' contacts, it added.

"While the malicious campaigns use similar techniques and have similar targets, the campaigns are separate and the two actors are not collaborating," the NCSC says.

In a December report, security firm Proofpoint revealed that the CharmingKitten campaign is tied to six affiliates within the APT group. According to Proofpoint, the latest campaign began in 2021 and uses a new malware dubbed GhostEcho to gain initial access for the hackers to conduct further espionage. Victims include mainly U.S. and Israeli defense officers, as well as women's rights activists and academicians in the United States and Europe.

Proofpoint, which has been actively tracking the Charming Kitten campaigns for years, says the group's activities are vetted by the Islamic Revolutionary Guard Corps for intelligence-gathering purposes. The group has targeted journalists and activists throughout the Middle East since at least 2013.

Seaborgium, which has suspected links to the Russian cyber military unit of the GRU, mainly targets government officials, think tanks and journalists in Europe.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.