A state-sponsored hacking group with links to Russia has been linked to attack infrastructure that spoofs the Microsoft login page of Global Ordnance, a legitimate U.S.-based military weapons and hardware supplier.
Recorded Future attributed the new infrastructure to a threat activity group it tracks under the name TAG-53, and is broadly known by the cybersecurity community as Blue Callisto, Callisto, COLDRIVER, SEABORGIUM, and TA446.
“Based on historical public reporting on overlapping TAG-53 campaigns, it is likely that this credential harvesting activity is enabled in part through phishing,” Recorded Future’s Insikt Group said in a report published this week.
The cybersecurity firm said it discovered 38 domains, nine of which contained references to companies like UMO Poland, Sangrail LTD, DTGruelle, Blue Sky Network, the Commission for International Justice and Accountability (CIJA), and the Russian Ministry of Internal Affairs.
It’s suspected that the themed domains are likely an attempt on part of the adversary to masquerade as authentic parties in social engineering campaigns.
images from Hacker News