The National Cyber Security Centre (NCSC) issued an alert about two groups from Russia and Iran, warning those in government, defence, think tanks, and the media against clicking on malicious links from people posing as conference hosts, journalists or even colleagues.
The groups, have been active for some years, but have recently stepped up their activities in the UK as the war in Ukraine continues and operating in the US and other Nato countries. Unlike most cyber criminals, the goal seems to be to steal secrets.
Paul Chichester, NCSC’s operations director, said the “threat actors based in Russia and Iran” from the two separate groups “continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems”.
The hackers typically seek to gain a target’s confidence by impersonating somebody likely to make contact with them, such as by falsely impersonating a journalist and ultimately luring them to click on a malicious link, sometimes over the course of several emails and other online interactions.
The Iranian group, dubbed Charming Kitten, held a fake zoom meeting with its target, and shared the malicious link “in the chat bar during the phone call”, the NCSC said. Sometimes two or more fake personas are used in a carefully crafted effort to convince a person that their inquiries or business is legitimate.
The Russian Group known as Seaborgium or Cold River hacked into correspondence involving the former director of MI6, Richard Dearlove and other hard Brexiters seeking to block Theresa May’s Chequers EU exit deal.
This year they had a go at hitting three nuclear research laboratories in the US, creating fake login pages for each institution and emailing scientists who worked there to try to make them reveal their passwords.
Although the method is one of the oldest hacking techniques, what distinguishes the two groups is the effort made to fool their targets, including creating “fake social media or networking profiles that impersonate respected experts” and offering invites to nonexistent conferences supposedly relevant to their targets.