State-linked Russian and Iranian hackers are increasingly targeting British politicians, journalists and researchers with sophisticated campaigns aimed at gaining access to a person’s email, Britain’s online security agency warned on Thursday.
The National Cyber Security Center (NCSC) issued an alert on two groups from Russia and Iran, warning members of the government, defense, think tanks and the media not to click on malicious links from people who are they pose as conference hosts, journalists or even colleagues.
Both groups have been active for a few years, but have recently been known to step up their activities in the UK as the war in Ukraine continues, as well as operating in the US and other NATO countries. Their goal is to steal secrets, or leak online correspondence to embarrass high-profile figures, but not to extort money.
Paul Chichester, NCSC’s chief operating officer, said “Russian and Iranian-based threat actors” from the two splinter groups “continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.”
Hackers typically seek to gain the trust of a target by posing as someone who is likely to contact them, such as by falsely impersonating a journalist, and ultimately luring them into clicking on a malicious link, sometimes on over the course of various emails and other online interactions. .
In one case, the Iranian group, dubbed Charming Kitten, held a fake zoom meeting with its target and shared the malicious link “in the chat bar during the phone call,” the NCSC said. Sometimes two or more fake personas are used in a carefully designed effort to convince a person that their inquiries or business are legitimate.
Last year, the Russian group known as Seabordium or Cold River was accused by Google of hacking and leaking correspondence involving former MI6 director Richard Dearlove and other Brexi hardliners seeking to block Theresa May’s Checkers EU exit deal. .
This year, the same group was accused of targeting three nuclear research laboratories in the US, creating fake login pages for each institution, and emailing scientists who worked there to try to get them to reveal their passwords. It is not clear if any of the efforts were successful.
Ultimately, and ideally having established a relationship, hackers will try to lure a person into clicking a link that takes them to a web page where they will be asked to enter their password details. At this point, your email is compromised using a technique known as “spear phishing.”
Although the method is one of the oldest hacking techniques, what distinguishes the two groups is the effort put into deceiving their targets, including creating “fake social media or network profiles posing as respected experts.” and offering invitations to non-existent conferences supposedly relevant to their goals. .
Once in control of an account, hackers sometimes use it to lure others, because victims will have more trust if the emails they send are genuine. Hackers also set secret “mail forwarding rules” in an effort to regain access to an email account even when the attack is detected and passwords are reset.
Both groups are believed to be state-run and engage in what is described as “cyberespionage” activities, but the British agency has not formally blamed the Russian or Iranian governments. When such attributions are made, they are done by the Secretary of Foreign Relations or other ministers of the Ministry of Foreign Relations.
NCSC encourages people to use strong email passwords. One technique is to use three random words and not replicate them as a login credential on other websites. He recommends that people use two-factor authentication, using a mobile phone as part of the login process, ideally using a special authenticator app.
The cyber agency also advises people to be especially careful when receiving plausible-sounding messages from strangers who trust Gmail, Yahoo, Outlook, or other webmail accounts, sometimes posing as “known contacts” of the networks’ selected target. social.
