A threat actor has been targeting U.S. organizations with tens of thousands of emails purporting to be from U.S. government entities and private sector companies in order to steal victims’ corporate credentials.
The threat group, which researchers with Proofpoint track under TA4903, was first observed in December 2021 spoofing federal government entities like the U.S. Department of Labor, the Departments of Housing and Urban Development, Transportation and Commerce and the Department of Agriculture. Then in mid-2023, continuing into this year, Proofpoint observed the threat group pivot its tactics slightly to instead spoof small and medium-sized businesses (SMBs) across various industries, like construction, manufacturing, energy and finance. The group also started to launch more business email compromise attacks in addition to credential phishing campaigns.
“TA4903 is a persistent, financially motivated threat actor that generally targets organizations in the U.S. with high-volume email campaigns,” according to researchers with Proofpoint on Wednesday. “Proofpoint assesses with high confidence that TA4903 activity leads to BEC objectives following their initial credential harvesting activity.”
The threat actor has used various techniques across its attacks, including QR codes. In a credential theft email campaign late last year that purported to be a bid proposal from the Department of Agriculture and used PDF attachments, for instance, the attachments leveraged QR codes that would send targets to government-branded phishing websites.
Researchers observed the threat actor frequently registering new domains for credential phishing attacks, which related to government entities and private organizations across a variety of sectors. The group in 2023 was also seen leveraging EvilProxy, which is a known reverse proxy MFA bypass toolkit frequently used in attacks against executives. However, the use of this toolkit appeared to drop off and the threat group has not been observed using EvilProxy so far in 2024.
The threat actor’s more recent business email compromise attacks that spoof small and medium-sized businesses have increased, and researchers said it is likely that the group’s earlier credential phishing campaigns were precursors for follow-on BEC activity, using information stolen to identify possible targets or craft social engineering lures. After compromising a mailbox, the threat actor would search for information related to payments or invoices and send additional campaign emails from the compromised inbox.
“It is possible the actor’s techniques have shifted as a result of the efficacy of such campaigns, or it is just a temporary change in the overall TTPs,” according to researchers.