NCSC: Russian and Iranian hackers targeting UK politicians, journalists

Image:

NCSC: Russian and Iranian hackers targeting UK politicians, journalists

Threat actors are impersonating journalists, colleagues and interested parties to obtain credentials in spear-phishing attacks, agency warns

NCSC, the cyber security arm of GCHQ, has issued an advisory warning about the targeting of media and political organisations by hackers from Russia and Iran.

The groups mentioned, SEABORGIUM from Russia and TA453 (alias APT42 and Charming Kitten) from Iran, are believed to be associated with the governments of those countries. They have been observed conducting spear-phishing operations against targets in academia, defence, government organisations, NGOs and think-tanks, according to NCSC, and individuals including journalists, activists and politicians.

"These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems," said Paul Chichester, NCSC director of operations, in a statement.

"We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online."

NCSC's advisory gives examples of how individuals and organisations are targeted via email, social media and collaboration platforms by operatives who first gain their confidence by impersonating media professionals, interested parties or colleagues.

"SEABORGIUM and TA453 identify hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts," it says.

"They have also created fake social media or networking profiles that impersonate respected experts, and used supposed conference or event invitations, as well as false approaches from journalists."

Sometimes the actors adopt more than one persona in order to appear more convincing. Once trust has been built, the next stage is often to share a malicious link disguised as a document or Zoom invite, in an effort to persuade the target to enter their credentials, including passwords, in a bogus web form.

The aim of the threat actors is generally thought to be information gathering, seeking out materials that could be used later to embarrass the targets or compromise their organisations. It is not believed that the two groups are operating together.

To protect against spear-phishing, NCSC advises individuals and organisations to take the following measures,

Use strong and separate passwords for your email account
Turn on multi-factor authentication
Protect your devices and networks by keeping them up to date
Exercise vigilance
Enable your email providers' automated email scanning features
Disable mail-forwarding

Phishing is one of the primary methods used by hackers to obtain credentials. Often perpetrators take advantage of events, such as the pandemic, elections or the death of the Queen, when people are more likely to accept approaches from strangers or click on emailed links. Spear-phishing is used to describe the targetting of specific individuals in this way. The Ukraine war has seen an uptick in such activities from Russian hackers in particular.