The National Cyber Security Centre (NCSC) – part of GCHQ – have warned the UK about the threat of targeted spearphishing campaigns carried out by cyber actors in Russia and Iran.

The attacks are not aimed at the general public, but rather at organisations and individuals in specific sectors including academia, defence, government organisations and NGOs, and aim to gather information to allow further attacks.

The attacks appear to be typical of spearphishing where the attacker researches their target to tailor their content and approach. The NCSC has warned that:

“Contact may initially appear benign as the attacker looks to gain targets’ trust and build a rapport, before using typical phishing tradecraft to share malicious links that can lead to credential theft and onward compromise.”

They go on to say that “approaches have been made via email, social media and professional networking platforms, with attackers impersonating real-world contacts of their targets, sending false invitations to conferences and events, and sharing malicious links disguised as Zoom meeting URLs.”

Spearphishing is a relatively ‘old’ technique, but it is constantly being evolved by cyber actors and continues to be a successful method of attack.

Mitigation

Cyber security should be a priority at all times, but especially during a surge in cyber attacks. It’s vital you are doing everything you can to protect your business and employees from compromise. As a minimum:

• Use strong passwords. Have separate passwords for all your accounts and avoid patterns (ie. password1, password2, password3).
• Enable Multi Factor Authentication (MFA). Everything that can have MFA, should, and ideally it should be using an authenticator app such as the Microsoft Authenticator.
• Use Conditional Access instead of security defaults. This is a Microsoft 365 feature that provides security alerts and requires extra authentication if “out of the ordinary” access requests are made.
• Block legacy authentication in Microsoft 365. The legacy authentication protocols (such as POP, SMTP etc.) that are often used for printers, scanners, and hardware monitoring like switches, don’t support MFA making them easy points of access for attackers. It’s important that when enabling MFA, you also block these legacy authentication methods.
• Keep your devices and networks up to date. Use the most up to date versions, apply security updates as soon as prompted, and use antivirus to scan for known malware threats.
• Disable external mail-forwarding. Following a successful attack, cyber actors have been observed to set up mail-forwarding rules to maintain visibility of their target’s emails. Disabling mail-forwarding will prevent this from happening.
• Separate admin roles. If you’re performing an admin activity such as installing software or managing some infrastructure, you should use a separate admin only account for that, rather than apply admin permissions to the user account you use to check your email and create files.
• Educate your users and remain vigilant. The single most effective defence against cyber attacks is user education. Spearphishing emails are cleverly tailored to avoid suspicion. You might recognise the sender’s name but is their email address correct? Would you expect this type of contact from this person ie. have they sent an email from their personal mailbox rather than their corporate or vice versa? Can you verify the legitimacy of the email by another means before clicking any links? It’s always better to be safe than sorry, so if in doubt, don’t click, and contact your IT administrator.

Be aware that although anybody can be targeted, people with a larger ‘splash zone’ are more likely to be targeted. A ‘splash zone’ is the amount of organisation-wide access an individual has, thereby leading an attack to gain a much larger scope of access and information, and a bigger impact on the victim organisation. As an example, a person with global admin access has a large splash zone and is more likely to be targeted.

Stay vigilant, if you need any further advice or information, please get in touch.