Russian Hackers Target U.S. Military Weapons and Hardware Supplier
Reading Time: 3 minutes

Russian hackers target US military weapons and hardware suppliers, according to RecordedFuture. 

RecordedFuture, the world’s largest intelligence company attributed the new infrastructure to a threat activity group dubbed TAG-53 aka, Callisto, COLDRIVER, SEABORGIUM, and TA446. They are linked to attack infrastructure that spoofs the Microsoft login page of Global Ordnance, legitimate U.S.-based military weapons and hardware supplier.

Their findings revealed 38 domains, nine of which contained references to companies like UMO Poland, Sangrail LTD, DTGruelle, Blue Sky Network, the Commission for International Justice and Accountability (CIJA), and the Russian Ministry of Internal Affairs.

It’s suspected that the themed domains are likely an attempt on part of the adversary to masquerade as authentic parties in social engineering campaigns.

“Notably, a consistent trend has emerged regarding the use of specifically tailored infrastructure by TAG-53 highlighting the long-term use of similar techniques for their strategic campaigns,” the researchers said.

The development comes nearly four months after Microsoft disclosed that it took steps to disrupt phishing and credential theft attacks mounted by the group with the goal of breaching defense and intelligence consulting companies as well as NGOs, think tanks, and higher education entities in the U.K. and the U.S.

Enterprise security company Proofpoint has further called out the group for its sophisticated impersonation tactics to deliver rogue phishing links.

Although it’s impossible to know for sure, it appears that the themed domains may be an attempt by the bad actor to mask their true identity in social engineering campaigns.

There’s a concerning trend emerging with TAG-53’s use of specifically tailored infrastructure. Researchers noticed they seem to be using the same techniques in their strategic campaigns on a regular basis.

After Microsoft announced a number of steps to disrupt phishing and credential theft attacks from the group with the goal of breaching defense and intelligence consulting companies as well as NGOs, think tanks, and higher education entities in the U.K. and the U.S., the new development came about four months later. Earlier Microsoft also warned Europe of DDoS attacks from Russia.

Security company Proofpoint has commented on the sophistication of the group’s impersonation tactics, calling them out for sending users phishing links.

The threat actor has also been tied with low confidence to a spear-phishing operation targeting Ukraine’s Ministry of Defense that occurred at the time Russia launched military operations in the country.

SEKOIA.IO, a separate article, corroborated the findings, discovering a total of 87 domains, two of which are related to private sector companies Emcompass and BotGuard. Four NGOs involved in Ukraine crisis relief were also targeted.

The attacks were carried out via email communications between the NGO and spoofed email addresses mimicking a trusted source used by the attackers. This was followed by sending a malicious PDF containing a phishing link in an attempt to evade detection from email gateways.

This is what the email exchange showed. The attacker didn’t include the payload in the first email but waited to establish a relationship and avoid suspicion before sending it to the victim.

The use of typosquatted domains registered in Russian ministries further adds weight to Microsoft’s assessment that SEABORGIUM targets former intelligence agents, experts in Russian affairs, and Russian citizens abroad.

SEKOIA.IO has accused CIJA of intelligence-gathering, saying they are seeking to “amass war-crime related evidence and/or international justice procedures, likely to anticipate and build a counter-narrative on future accusations.”

Security breach company Lupovis has found that as of March, Russian threat actors have been using networks belonging to these companies in order to launch attacks against Ukraine.

Microsoft has warned of “fewer traditional cyber attacks,” and has pointed out that Russia’s multi-pronged strategy includes cutting off terrorist groups’ access to financing and resources, developing new aviation technology, and creating a digital economy.

Related Articles:
Microsoft warns Europe of DDoS attacks From Russia
SIM Swapping Hackers Target Telecom and BPO Companies
Cryptonite Open Source Ransomware Toolkit Turns Into Accidental Wiper Malware