Meet the prolific Russian espionage crew hacking spymasters and lawmakers

A notorious hacking group with alleged ties to Russian intelligence services has claimed its latest victim: British lawmaker Stewart McDonald.

McDonald, a member of Parliament for his constituency in Glasgow South, told BBC News that he fears he had been the victim of a “disinformation” campaign after his personal email account was “hacked by Russia.” McDonald said the hackers sent a document purporting to include a military update on Ukraine, but when opened contained a phishing page that tricked him into entering his email address and password.

It became clear that the tactics used in this hack mirrored a recent NCSC advisory notice on spear phishing emails that target academia, defence, government organisations, NGOs, think-tanks, as well as politicians, journalists and activists.https://t.co/dN0pHaY4iN

— Stewart McDonald MP (@StewartMcDonald) February 8, 2023

The intrusion is believed to be linked to the prolific “Seaborgium” hacking group, also referred to as “Cold River” and “Calisto.”

Seaborgium may not be as well known as Russia’s Fancy Bear or Sandworm hackers, but it is rapidly making a name for itself. The U.K. government has warned of the group’s “ruthless” attempts to pursue its victims, and security researchers say the gang’s growing list of targets — including politicians, defense and government organizations — suggests Seaborgium is closely tied to the Russian state.

Who is Seaborgium?

The Seaborgium hacking group has been active since at least 2017 and is known for conducting long-running cyber espionage campaigns against NATO countries, particularly the U.S. and the United Kingdom, but also further afield as the Baltics, the Nordics and Eastern Europe.

Microsoft’s Threat Intelligence Center, or MSTIC, which has tracked the group since its inception, assesses that Seaborgium is a Russia-based group with “objectives and victimology” that align closely with Russian state interests.

“While we cannot rule out that supporting elements of the group may have current or prior affiliations with criminal or other non-state ecosystems, MSTIC assesses that information collected during Seaborgium intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations,” Microsoft researchers said.

French threat intelligence startup Sekoia.io, which tracks the group as “Calisto,” said in December that while there is an absence of technical evidence linking Seaborgium to known Russian hacking groups, it found that the hacking group “contributes to Russian intelligence collection about identified war crime-related evidence and/or international justice procedures.”

Who does Seaborgium target?

Seaborgium has historically targeted sectors including academia, defense, governmental organizations, NGOs and think tanks, as well as politicians, journalists and activists.

In May 2022, Google’s Threat Analysis Group, which tracks Seaborgium as “Cold River,” attributed a hack-and-leak operation that saw a trove of emails and documents stolen and leaked from high-level Brexit proponents, including Sir Richard Dearlove, the former head of the U.K. foreign intelligence service MI6. The stolen documents were spread on social media to amplify a false narrative that Brexit proponents were behind a conspiracy to oust a then-sitting prime minister.

In January, it was revealed that Seaborgium also targeted scientists at three U.S. nuclear research labs — Brookhaven, Argonne and Lawrence Livermore Laboratories — last year.

Microsoft’s threat intelligence unit MSTIC says it has also seen Seaborgium targeting Ukraine’s government sector in the months leading up to Russia’s invasion in February 2022, along with organizations involved in supporting roles for the war in Ukraine. Seaborgium has targeted former intelligence officials, experts in Russian affairs and Russian citizens abroad, suggesting the hacking group is also involved in domestic surveillance.

Microsoft said some 30% of Seaborgium activity targets personal email accounts.

What are Seaborgium’s motives?

The main goal of Seaborgium’s intrusions — which typically impersonate real people and use phishing lures with the aim of stealing a victim’s email account password — are for espionage and information operations. That’s when stolen information is strategically leaked to shape narratives in specific countries for certain reasons. Microsoft researchers say the group is unlikely to be financially motivated.

The U.K.’s National Cyber Security Center, which acts as the U.K.’s technical authority on cyber threats, said in a recent advisory that Seaborgium tends to select its targets based on the perceived level of their access to information of interest to the hackers, such as politicians, journalists and activists.

In a statement to TechCrunch, an NCSC spokesperson said it was investigating the incident involving the compromise of McDonald’s email account. “An incident has been reported to us and we are providing the individual with support,” said the spokesperson, who did not provide a name. “The NCSC regularly provides security briefings and guidance to parliamentarians to help them defend against the latest cyber threats. This includes expert advice for MPs and their staff available on the NCSC website.”

McDonald and the SNP did not respond to TechCrunch’s questions.

Read more:

• Russian ‘WhisperGate’ hackers are using new data-stealing malware to target Ukraine
• US offers bounty for Sandworm, the Russian hackers blamed for destructive cyberattacks
• Hackers behind SolarWinds are hiding malware in Google Drive
• Russia-backed hackers attempt to disconnect substations
• Russian hackers already targeted a Missouri senator up for reelection in 2018