Seaborgium has mainly targeted NATO countries, particularly the US and the UK, and occasionally attacked Baltic states, Nordic countries, and Eastern Europe.
“Such targeting has included the government sector of Ukraine in the months leading up to the invasion by Russia and organizations involved in supporting roles for the war in Ukraine,” Microsoft said.
Since the beginning of 2022, the threat actor has been observed targeting over 30 organizations, in addition to personal accounts of people of interest.
“Seaborgium has been observed targeting former intelligence officials, experts in Russian affairs, and Russian citizens abroad,” Microsoft said.
Seaborgium focuses on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education.
The company claims to have disrupted Seaborgium’s ongoing phishing operations with the help of Google Threat Analysis Group and the Proofpoint Threat Research Team.
Microsoft, tracking the group since 2017, said its campaigns involve persistent phishing and credential theft, leading to intrusions and data theft. Researchers assess that the information stolen during the intrusions likely supports traditional espionage goals and operations.
Most likely, Seaborgium uses social media platforms, such as LinkedIn, personal directories, and general open-source intelligence (OSINT) to conduct their reconnaissance of target individuals. Threat actor also uses legitimate email services to impersonate individuals and establish contact with their target.
After establishing contact with the victim, Seaborgium delivers a malicious link to steal the target’s credentials. The threat actor uses stolen credentials to sign in to victim email accounts, exfiltrate data, set up persistent data collection, and access the people of interest.
“There have been several cases where Seaborgium has been observed using their impersonation accounts to facilitate dialog with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties,” Microsoft said in a blog post.
What is more, Microsoft observed sporadic Seaborgium’s involvement with information operations.
“The actors leaked emails/documents from 2018 to 2022, allegedly stolen from consumer Protonmail accounts belonging to high-level proponents of Brexit, to build a narrative that the participants were planning a coup. The narrative was amplified using social media and through specific politically themed media sources that garnered quite a bit of reach.”
More from Cybernews:
Subscribe to our newsletter