Russian and Iranian state sponsored threat actors continue their respective spear-phishing campaigns against organisations and individuals across the UK.

Our colleagues at the National Cyber Security Centre (NCSC), the UK’s technical authority on cyber security, have issued an advisory highlighting the activities of the Russia-based SEABORGIUM and Iran-based TA453.

These state sponsored threat actors continue to successfully use spear-phishing attacks against targeted organisations and individuals in the UK, and other areas of interest, for information gathering activity.

Although there is similarity in the tactics techniques, procedures and targeting profiles, these campaigns are separate and the two groups are not collaborating.

This advisory aims to raise awareness of this activity for individuals and organisations in sectors known to be of interest to these actors. It helps identify the specifics of these actors spear-phishing techniques and has been published here.

The full guidance is available have urged UK organisations to prepare for an extended period of heightened threat in relation to the Russia-Ukraine conflict and have published new guidance.

The activity is typical of spear-phishing campaigns. The actor conducts reconnaissance which include social media and professional networking platforms then identify known topics to engage their target. They take the time to research their interests and identify their real-world social or professional contacts.

Thereafter they target a specific individual or group, using information known to be of interest to the targets to engage them. In a spear-phishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.

The recommended actions in the guidance include:

  • Use a separate password for email accounts and avoid password re-use across multiple services. See NCSC Guidance.
  • Use multi-factor authentication, also known as 2-step verification which helps reduce the impact of password compromises. See NCSC Guidance
  • Protect your devices and networks by keeping them up to date, use the latest supported versions, apply security updates promptly, use antivirus and scan regularly to guard against known malware threats. See NCSC Guidance.
  • Exercise vigilance. Spear-phishing emails are tailored to avoid suspicion. You may recognise the sender’s name, but has the email come from an address that you recognise? Would you expect contact from this person’s webmail address rather than their corporate email address? Has the suspicious email come to your personal/webmail address, rather than your corporate one? Can you verify that the email is legitimate via another means? See NCSC phishing guidance. CPNI’s ‘Think Before You Link’ app, can help individuals identify malicious online profiles and reduce the risk of being targeted in the first instance.
  • Enable your email providers’ automated email scanning features. These are turned on by default for consumer mail providers. See NCSC advice.
  • Disable mail-forwarding. Attackers have been observed to set up mail-forwarding rules to maintain visibility of target emails. If you cannot disable mail-forwarding, then monitor settings regularly to ensure that a forwarding rule has not been set up by an external malicious actor.

Further information and guidance for specific sectors are available through the NCSC website. We would also encourage you to follow the NCSC’s social media channels: LinkedIn and Twitter for further alerts and updates.

If you have been a victim of crime, and it is not an ongoing emergency, you can report this to Police Scotland on 101.

Police Scotland

This alert was sent out for your information by Police Scotland Cybercrime Harm Prevention Unit. All information was correct at time of distribution.

Back to top of the page