Threat Actor TAG-53
Introduction
TAG-53 is a Russian threat actor, that runs phishing campaigns posing as various defense, aerospace, and logistic companies. The infrastructure used by this threat actor also overlaps with tactics, techniques, and procedures of Callisto Group, COLDRIVER, and SEABORGIUM. It repeatedly used many traits, like the specific domain registrars, the Let's Encrypt TLS certificates, a small cluster of autonomous systems, and a specific stylistic structure.
Characteristics
TAG-53 originated from Russia and has objectives and victimology aligning with the interests of Russia. It mainly targeted NATO countries like the USA and UK along with Ukraine after Russia's invasion in 2022. It has conducted phishing campaigns via Gmail accounts and attacked many non-governmental organizations, think tanks, journalists, as well as government and defense officials. Now, after evolving with time, is has also started incorporating PDF or DOC file links hosted on Google Drive and Microsoft OneDrive in its phishing emails.
Detection & Mitigation
Some of the prevention and mitigation techniques are as follows:
- Network and host hardening to reduce exposure to threats.
- Vulnerability management to reduce the security weakness in the exposed services.
- Using strong data encryption will reduce its usefulness even if it is stolen.
- Make use of Data Loss Prevention (DLP) and Endpoint Security to protect the sensitive data from leaking via the network or end-user devices.
- Use network and application-level firewalls to stop unwanted traffic from entering.
Conclusion
Nowadays, TAG-53 is also targeting organizations supporting the war-stricken Ukraine. It extensively uses phishing and spear-phishing mails to lure their victims and compromise their network. Hence, a strong prevention strategy should be applied to prevent these attacks from compromising a network.
Comments
Post a Comment