Experts warn of targeted spear-phishing attacks from Russia and Iran

In its latest advisory, the National Cyber Security Centre (NCSC) – which is part of GCHQ – has shared details about the techniques and tactics used by the attackers as well as mitigation advice designed to combat the continuing threat.

Spear-phishing involves an attacker sending malicious links, for example via e-mail, to specific targets in order to try to induce them to share sensitive information.

The advisory highlights that, throughout 2022, separate malicious campaigns were conducted by Russia-based group SEABORGIUM and Iran-based group TA453, also known as APT42, to target a range of organisations and individuals in the UK (and elsewhere) for information-gathering purposes.

These attacks are not aimed at the general public, but rather targets in specified sectors, including academia, defence, Government organisations, NGOs and Think Tanks, as well as politicians, journalists and activists.

The advisory, which is based on NCSC understanding and extensive industry reporting, recommends that organisations and individuals alike remain vigilant to approaches and follow the mitigation advice outlined in order to protect their online accounts from compromise.

Persistent threat

Paul Chichester, director of operations at the NCSC, said: “The UK is committed to exposing malicious cyber activity alongside our industry partners and this advisory raises awareness of the persistent threat posed by spear-phishing attacks. These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.”

Chichester continued: “We strongly encourage organisations and individuals to remain vigilant to potential approaches. They would do well to follow the mitigation advice in the advisory in order to protect themselves online.”

This activity is typical of spear-phishing attacks, where the actor undertakes reconnaissance activity around their target to tailor their content before making an approach.

Contact may initially appear benign as the attacker looks to gain targets’ trust and build a rapport, before then using typical phishing ‘trade craft’ to share malicious links that can then lead to credential theft and onward compromise.

The NCSC advisory describes how approaches have been made via e-mail, social media and professional networking platforms, with attackers impersonating real-world contacts of their targets, sending false invitations to conferences and events and sharing malicious links that are disguised as Zoom meeting URLs.

While the malicious campaigns use similar techniques and have similar targets, these campaigns are separate and the two actors are not collaborating.

Specific advice

The NCSC advisory includes the following advice designed to mitigate the spear-phishing activity:

*use strong and separate passwords for e-mail accounts

*turn on multi-factor authentication (also known as two-step verification) 

*protect devices and networks by keeping them up-to-date

*enable e-mail providers’ automated e-mail scanning features

*disable mail-forwarding

The ‘Think Befote You Link’ app devised by the Centre for the Protection of National Infrastructure is also designed to assist individuals in identifying malicious online profiles and reducing the risk of being targeted.

The NCSC is committed to raising awareness of the latest cyber threats and provides a range of practical guidance to help public sector organisations, Critical National Infrastructure, businesses of all sizes and, of course, individuals to protect themselves online.