Spy group abuses Microsoft OneDrive to steal credentials in hack-and-leak campaigns

Microsoft has warned that a “highly persistent” threat actor from Russia has targeted NATO nations with credential theft campaigns that abuse OneDrive to compromise accounts, steal data and then leak information to sway public opinion.

Dubbed Seaborgium by Microsoft, the group has worked to steal information from targeted NATO countries, particularly the US and UK, and occasionally from other countries in the Baltics, the Nordics, and Eastern Europe, as well as Ukraine government organizations prior to Russia’s February 24 invasion. On occasion, the group also leaked data as part of what seem to be disinformation/misinformation campaigns.

The Microsoft Threat Intelligence Center (MSTIC), which tracks sophisticated and state-sponsored actors, has focussed on Seaborgium ‘s abuse of OneDrive to gain visibility into the group’s activities.

The group has both used OneDrive as a lure in attachments that impersonate the service, and abused OneDrive to host PDFs containing links to malicious URLs.

“The victim is presented with what appears to be a failed preview message, enticing the target to click the link to be directed to the credential-stealing infrastructure. Occasionally, Seaborgium makes use of open redirects within the PDF file to further disguise their operational infrastructure,” says MSTIC in a blogpost. 

Once victims click the link, they’re redirected to credential-stealing infrastructure, sometimes by way of Google URLs for redirection purposes. The actors use a login page that impersonates a legitimate provider, which allows the attacker to intercept credentials typed into username and password fields.

Google’s Threat Analysis Group (TAG) and Proofpoint’s Threat Research Team have respectively identified COLDDRIVER and TA446 as overlapping with Seaborgium.

“Seaborgium intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries,” MSTIC says.

Brexit leak

MSTIC says it agrees with Google TAG’s assessment that a leak of emails from several leading Brexiteers in May was attributable to Russian hackers, as Reuters reported at the time. The leak site, labelled ‘Very English Coop d’Etat’, contained emails exchanged between 2018 and 2022 that were allegedly stolen from consumer Protonmail accounts of the victims.

“Microsoft independently linked Seaborgium to the campaign through technical indicators and agrees with the assessment by TAG on the actor responsible for the operation,” MSTIC said. 

Microsoft warns that similar leaks needed to be interpreted with caution because the actors may have inserted misinformation or disinformation to support the narrative they’re pushing.

Microsoft, which started tracking Seaborgium in 2017, says that in 2022 alone its campaigns have targeted over 30 organizations, as well as personal accounts of people of interest.        

It stops short of labelling Seaborgium a state-sponsored actor. “Seaborgium is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests,” says MSTIC. 

Seaborgium was one of the threat actors Microsoft singled out in its April special report on Russian use of cyberattacks in conjunction with military attacks on Ukraine.   

Almost a third of Microsoft’s nation-state security notifications have been delivered to Microsoft consumer email accounts.

The group’s primary targets are defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. 

“Seaborgium has been observed targeting former intelligence officials, experts in Russian affairs, and Russian citizens abroad,” MSTIC notes.

Intelligence and disinformation 

The group has been seen sending emails and attachments from victims’ inboxes, setting up forwarding rules from victim inboxes to ‘dead drop’ accounts, and using impersonation accounts to allow dialogue with people of interest and gather extra information via mailing lists. The whole point is to steal relevant information that can be used for intelligence or disinformation.

Microsoft and LinkedIn have also observed fake LinkedIn profiles being used to conducting reconnaissance on employees from organizations of interest. LinkedIn was used in conjunction with research on social media platforms, personal directories and general open-source intelligence gathering.

Given the specific techniques used by Seaborgium, such as email forwarding, concerned end-users should take note of Microsoft’s advice to mitigate the group’s threats: 

• Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
• Configure Office 365 to disable email auto-forwarding.
• Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
• Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
• Require multifactor authentication (MFA) for all users coming from all locations including perceived trusted environments, and all internet-facing infrastructure–even those coming from on-premises systems.
• Leverage more secure implementations such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.

 Microsoft’s blogpost also details mitigations available for Microsoft Defender for Office 365 Customers.