These Russian and Iranian hackers are fooling vital industries

Cartoon Phishing
(Image credit: Shutterstock / DRogatnev)

The UK's National Cyber Security Centre (NCSC) has issued a warning over the continual cyberattacks perpetrated by Russian and Iranian hacker groups. 

Its report says SEABORGIUM (AKA: Callisto Group/TA446/COLDRIVER/TAG-53) and TA453 (AKA: APT42/Charming Kitten/Yellow Garuda/ITG18) are using spear-phishing techniques to target institutions and individuals with the aim of gathering intel.

Although the two groups do not appear in be in collusion, they are separately attacking the same types of organizations, which last year included government bodies, NGOs, and those in the defense and education sectors, as well as individuals such politicians, journalists and activists. 

TechRadar Pro needs you!
We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Playing the long game

Spear-phishing is a more refined phishing technique, whereby the threat actor pretends to have information that is of particular interest to their victim. In the case of SEABORGIUM and TA453, they ascertain this by researching freely available resources, such as social media profiles and professional networking platforms, to learn about their target and the identities of people they know. 

Both groups have even gone as far as creating fake social media profiles themselves, to impersonate their target's known contacts, as well as experts within their field and journalists, all in a effort to lure their catch. 

There is usually unharmful contact at first, as SEABORGIUM and TA453 seek to establish a relationship with their target to gain their trust. The NCSC notes that this can last for an extended period. 

Once they have, they will then usually deploy a malicious link, wither in an email or embedded within a shared document on platforms such as Microsoft One Drive or Google Drive.  

The NCSC reports that "in one case, [TA453] even set up a Zoom call with the target to share the malicious URL in the chat bar during the call." The use of multiple fake personas in a single phishing attack has also been reported, in an effort to bolster the façade. 

Following these links will usually take the victim to a fake login page controlled by the attackers, and once they enter their credentials, they are stolen. With these, the hackers then log into their victims' email accounts to steal emails, attachments, and also forward incoming emails to their own accounts to continually spy on them. 

What's more, they then use the saved contacts in the compromised email account to find yet more victims in follow-on attacks and start the process all over again.  

Both SEABORGIUM and TA453 use accounts from common email providers, such as Outlook and Gmail, to create spoof identities when first approaching their target. They have also created fake domains for seemingly legitimate organizations. Those that are currently known to be linked to SEABORGIUM have been published in a list courtesy of the Microsoft Threat Intelligence Center (MSTIC).

Cybersecurity firm Proofpoint has been on the tail of the Iranian TA453 group since 2020, largely echoing the same findings as the NCSC: "[TA453] campaigns may kick off with weeks of benign conversations from actor-created accounts before attempted exploitation."

They also noted that other targets from the group have included medical researchers, an aerospace engineer, a realtor, and travel agencies. In addition, the firm issued the following warning:

"Researchers involved in international security, particularly those specializing in Middle Eastern studies or nuclear security, should maintain a heightened sense of awareness when receiving unsolicited emails. For example, experts that are approached by journalists should check the publication’s website to see if the email address belongs to a legitimate reporter."

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.

Read more
Russia
Major Russian hacking group shifts focus to US and UK targets
QR Code
Hackers are targeting Signal with new QR code-linked cyberattack
Shutterstock.com / kanlaya wanon
Microsoft Teams abused in Russian email bombing ransomware campaign
A smartphone on a sofa showing the WhatsApp, Telegram and Signal apps
Russian criminal gang Star Blizzard found hitting WhatsApp accounts
Phishing
Russian cyberattackers spotted hitting Microsoft Teams with new phishing campaign
Red padlock open on electric circuits network dark red background
Aviation firms hit by devious new polyglot malware
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Latest in News
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI