NCSC warns UK under state-sponsored spear-phishing attacks from Russia and Iran

Russian and Iranian-linked hacker groups have ramped up operations targeting critical industries and high-profile public figures, according to an advisory issued by the National Cyber Security Centre (NCSC).

The security arm of GCHQ published an alert today warning that two hacker groups, based in Russia and Iran, have escalated attacks against government organisations, defence firms, media publications, and non-profits.

Russian group Seaborgium, also known as ‘Cold River’, was found to have waged an “expansive” spear-phishing campaign against UK targets. The Iranian group tracked as TA453 and ‘Charming Kitten’, has also ramped up similar attacks, the advisory revealed.

The NCSC said both groups' efforts were motivated by "information gathering purposes" - as is often the case with state-level cyber security operations.

For this reason, it added that attacks are not being aimed at the general public, instead targets are chosen in specialised areas with access to the most valuable information.

Spear-phishing targets

While spear-phishing is a well-established and often lucrative attack method employed by hackers, the cyber security authority said that both groups use a number of techniques to target victims across multiple modes of communication.

Social media and professional networking sites have been used to identify targets, the advisory read, which enables the groups to engage with potential victims.

“They take the time to research their interests and identify their real-world social or professional contacts,” the NCSC said.

“They have also created fake social media or networking profiles that impersonate respected experts and used supposed conference or event invitations, as well as false approaches from journalists.”

Cold River and Charming Kitten have “predominantly” sent spear-phishing emails to targets' personal email addresses, the NCSC warned. However, corporate and business emails have also been targeted.

Both groups have proven highly successful in building trust with victims through extensive correspondence as the attacker builds rapport. Once this relationship has been established, malicious links delivered via email, or embedded in documents, are distributed to compromise accounts.

In one instance, Charming Kitten was found to have even set up a Zoom meeting with a target and shared a malicious URL in the chat bar during the call.

Toby Lewis, Global Head of Threat Analysis at Darktrace said the success of campaigns launched by groups such as Cold River highlights their growing capabilities.

“The difference with groups like Seaborgium and TA453 is the sophistication and research behind their attacks,” he said.

“For groups at the end of the worry spectrum, they're not just doing ‘fire-and-forget’, low-grade email campaigns, but highly targeted and engineered phishing that exploits [the] implicit trust between colleagues.”

A year of attacks for Cold River

The Cold River hacker group has been around for some time now and has claimed responsibility for a number of high-profile attacks over the last year.

Traditionally, the group hasn’t targeted the public and has instead focused on compromising public figures to create political disruption.

In May last year, security researchers at Google accused the group of hacking into and leaking emails belonging to Richard Dearlove, the former director of MI6.

Cold River also claimed responsibility for attacks on US-based nuclear research centres at the beginning of this year.

This particular incident saw the group create fake login pages for staff working at three laboratories and a phishing campaign aimed at encouraging workers to divulge passwords.