Microsoft said it disrupted a hacking and social engineering operation associated with a cyber espionage group identified as Seaborgium that targets individuals and organizations in NATO countries.

The threat actor, which Microsoft tracks since 2017, is believed to have ties to the Russian government and is primarily focused on targets in NATO countries, particularly the US and the UK, but occasionally conducts operations targeting countries in the Baltics, the Nordics, and Eastern Europe.

“Such targeting has included the government sector of Ukraine in the months leading up to the invasion by Russia, and organizations involved in supporting roles for the war in Ukraine. Despite some targeting of these organizations, Microsoft assesses that Ukraine is likely not a primary focus for this actor; however, it is most likely a reactive focus area for the actor and one of many diverse targets,” the tech giant notes.

The group’s targets include defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education institutions.

Seaborgium’ s modus operandi involves creating online personas via email, social media accounts and LinkedIn profiles that are used in social engineering schemes targeting individuals or organizations of interest. The attackers then attempt to establish contact with the potential victim and if successful, they would send the target a phishing email.

Microsoft said the threat actor also abuses OneDrive to host PDF files that contain a link to the malicious URL, included in the body of the email. Once obtaining the victim’s credentials Seaborgium uses them to sign in to victim email accounts and then the threat actor either steals emails and attachments or set up forwarding rules to receive all new emails sent to the compromised account.

“Based on the specific victimology, documents stolen, conversations fostered, and sustained collection observed, we assess that espionage is likely a key motivation of the actor,” Microsoft noted.