Russian and Iranian hackers increase spear-phishing attacks

Ryan Daws is a senior editor at TechForge Media, with a seasoned background spanning over a decade in tech journalism. His expertise lies in identifying the latest technological trends, dissecting complex topics, and weaving compelling narratives around the most cutting-edge developments. His articles and interviews with leading industry figures have gained him recognition as a key influencer by organisations such as Onalytica. Publications under his stewardship have since gained recognition from leading analyst houses like Forrester for their performance. Find him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)


The UK’s National Cyber Security Centre (NCSC) – a part of GCHQ – has warned that hackers based in Russia and Iran are conducting increased spear-phishing attacks.

Spear-phishing involves sending a malicious electronic communication to get someone to download malware or hand over sensitive information.

The attacks are often highly targeted to make it appear like the communication is from a loved one, friend, colleague, or business that the target knows and trusts.

The NCSC has identified two active spear-phishing campaigns: one by Russia-based group SEABORGIUM, and the other by Iran-based group TA453.

In an advisory posted today, the NCSC explains more about the techniques used in these attacks and provides advice on how to mitigate them.

Paul Chichester, NCSC Director of Operations, said:

“The UK is committed to exposing malicious cyber activity alongside our industry partners and this advisory raises awareness of the persistent threat posed by spear-phishing attacks.

These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.”

SEABORGIUM and TA453 take the time to research the interests of their targets, using resources such as social media and professional networking platforms. They often begin building a rapport with “benign contact on a topic they hope will engage their targets.”

The groups create fake profiles that impersonate respected experts and journalists and even use conference and event invitations to give the illusion of legitimacy.

Eventually, a malicious URL is sent to the victim. The URL may be in an email, in a document on a file-sharing platform, or anywhere else where a link can be shared.

“TA453 has even shared malicious links disguised as Zoom meeting URLs, and in one case, even set up a Zoom call with the target to share the malicious URL in the chat bar during the call,” wrote the NCSC in their advisory.

The URL often directs to an actor-controlled server that mirrors the sign-in page for a legitimate service.

Once compromised, the attackers often use their access to the victim’s mailbox to steal data and sensitive information. Mail-forwarding rules have also been found to give an ongoing view of the victim’s correspondence.

The NCSC says the attacks by SEABORGIUM and TA453 are generally not targeted at the general public but aim to compromise individuals working in sectors including academia, defence, government organisations, NGOs, and thinktanks. Politicians, journalists, and activists are also key targets.

“We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online,” adds Chichester.

Anyone who believes they’ve been targeted is encouraged to report it to the NCSC.

(Photo by Philipp Katzenberger on Unsplash)

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *