The UK’s National Cyber Security Centre (NCSC), part of GCHQ, has issued a warning that hackers operating from Russia and Iran have increased their use of targeted spear-phishing campaigns.
Spear-phishing is a form of cyber-attack that uses tailored electronic messages to trick victims into downloading malware or revealing sensitive credentials. These attacks are carefully crafted to appear as if they come from a trusted source — a colleague, friend, journalist, conference organiser, or other familiar contact.
The NCSC has identified two active campaigns: one run by a Russia-based group known as SEABORGIUM and another by an Iran-based group called TA453. In a public advisory, the NCSC describes the methods these groups use and provides practical mitigation advice.
Paul Chichester, Director of Operations at the NCSC, commented that the UK remains committed to exposing malicious cyber activity alongside industry partners. He warned that these persistent spear-phishing campaigns are aimed at stealing online credentials and compromising systems that may contain sensitive information.
Both SEABORGIUM and TA453 invest time in researching potential victims using social media and professional networking platforms. They build credibility by initiating benign conversations on topics of interest to their targets and by creating fake profiles that impersonate respected experts or journalists. They may also use seemingly legitimate conference and event invitations to reinforce authenticity.
At a later stage, the attackers deliver a malicious URL. This link can be shared in an email, embedded in a document on a file-sharing platform, or sent through any channel that supports links. The NCSC notes that TA453 has disguised malicious links as Zoom meeting URLs and, in at least one case, even joined a Zoom call to post the malicious link in the chat.
These links typically lead to actor-controlled servers that replicate the sign-in pages of genuine services. If a target enters their credentials on the fake page, the attackers gain access to their account. Compromised mailboxes are frequently abused to harvest sensitive data, and attackers often set up mail-forwarding rules to maintain ongoing visibility of the victim’s correspondence.
The NCSC says these campaigns are not random attacks on the general public. Instead, they focus on people working in specific sectors — including academia, defence, government organisations, non-governmental organisations, and think tanks — as well as politicians, journalists, and activists.
The NCSC urges organisations and individuals to remain vigilant and adopt the mitigation measures outlined in its advisory to reduce the risk of falling victim to these campaigns. Anyone who believes they have been targeted is encouraged to report the incident to the NCSC.
(Photo by Philipp Katzenberger on Unsplash)
Interested in learning more about cybersecurity and cloud technologies from industry experts? Look into the Cyber Security & Cloud Expo events taking place in Amsterdam, California, and London.
Discover additional enterprise technology events and webinars organised by TechForge through their upcoming events listings.