IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

NCSC warns UK under state-sponsored spear-phishing attacks from Russia and Iran

The acceleration in spear-phishing campaigns last year coincided with the escalating conflict in Ukraine, according to the NCSC

Russian and Iranian-linked hacker groups have ramped up operations targeting critical industries and high-profile public figures, according to an advisory issued by the National Cyber Security Centre (NCSC).  

The security arm of GCHQ published an alert today warning that two hacker groups, based in Russia and Iran, have escalated attacks against government organisations, defence firms, media publications, and non-profits.  

Russian group Seaborgium, also known as ‘Cold River’, was found to have waged an “expansive” spear-phishing campaign against UK targets. The Iranian group tracked as TA453 and ‘Charming Kitten’, has also ramped up similar attacks, the advisory revealed.  

The NCSC said both groups' efforts were motivated by "information gathering purposes" - as is often the case with state-level cyber security operations.

For this reason, it added that attacks are not being aimed at the general public, instead targets are chosen in specialised areas with access to the most valuable information.

Spear-phishing targets 

While spear-phishing is a well-established and often lucrative attack method employed by hackers, the cyber security authority said that both groups use a number of techniques to target victims across multiple modes of communication.  

Social media and professional networking sites have been used to identify targets, the advisory read, which enables the groups to engage with potential victims.  

“They take the time to research their interests and identify their real-world social or professional contacts,” the NCSC said.  

Related Resource

Cost of a data breach report 2022

Discover the factors to help mitigate breach costs

Whitepaper cover with title and square image of line graph beginning to break and lift upFree Download

“They have also created fake social media or networking profiles that impersonate respected experts and used supposed conference or event invitations, as well as false approaches from journalists.” 

Cold River and Charming Kitten have “predominantly” sent spear-phishing emails to targets' personal email addresses, the NCSC warned. However, corporate and business emails have also been targeted.  

Both groups have proven highly successful in building trust with victims through extensive correspondence as the attacker builds rapport. Once this relationship has been established, malicious links delivered via email, or embedded in documents, are distributed to compromise accounts. 

In one instance, Charming Kitten was found to have even set up a Zoom meeting with a target and shared a malicious URL in the chat bar during the call.  

Toby Lewis, Global Head of Threat Analysis at Darktrace said the success of campaigns launched by groups such as Cold River highlights their growing capabilities.  

“The difference with groups like Seaborgium and TA453 is the sophistication and research behind their attacks,” he said.  

“For groups at the end of the worry spectrum, they're not just doing ‘fire-and-forget’, low-grade email campaigns, but highly targeted and engineered phishing that exploits [the] implicit trust between colleagues.” 

A year of attacks for Cold River 

The Cold River hacker group has been around for some time now and has claimed responsibility for a number of high-profile attacks over the last year.  

Traditionally, the group hasn’t targeted the public and has instead focused on compromising public figures to create political disruption.  

In May last year, security researchers at Google accused the group of hacking into and leaking emails belonging to Richard Dearlove, the former director of MI6.  

Cold River also claimed responsibility for attacks on US-based nuclear research centres at the beginning of this year.  

This particular incident saw the group create fake login pages for staff working at three laboratories and a phishing campaign aimed at encouraging workers to divulge passwords. 

Featured Resources

Defending against malware attacks starts here

The ultimate guide to building your malware defence strategy

Free Download

Datto SMB cyber security for MSPs report

A world of opportunity for MSPs

Free Download

The essential guide to preventing ransomware attacks

Vital tips and guidelines to protect your business using ZTNA and SSE

Free Download

Medium businesses: Fuelling the UK’s economic engine

A Connected Thinking report

Free Download

Most Popular

Getting the best value from your remote support software
Advertisement Feature

Getting the best value from your remote support software

13 Mar 2023
Microsoft set to block emails from unsupported Exchange servers

Microsoft set to block emails from unsupported Exchange servers

28 Mar 2023
What the UK can learn from the rest of the world when it comes to the shift to IP

What the UK can learn from the rest of the world when it comes to the shift to IP

20 Mar 2023