Russian hacking group Seaborgium targets SNP MP Stewart McDonald

Scottish National Party MP Stewart McDonald has become the latest victim of a Russian state-backed hacking group that specialises in targeting non-government organisations (NGOs), politicians, journalists and other people of influence.

Stewart McDonald, former SNP defence spokesman, said today that hackers believed to be linked to the Russian state had gained access to his private emails and might publish them on the internet.

The disclosure follows warnings from the UK’s National Cyber Security Centre, part of GCHQ, that the Russian hacking group Seaborgium, also known as Cold River, is launching highly targeted phishing attacks against people of interest to the Russian state.

The hacking group, which is believed to be linked to the Russian FSB intelligence agency, was responsible for hack and leak operations last year against former head of MI6 Richard Dearlove, journalist Paul Mason and other, undisclosed, targets.

“Over the past couple of weeks. I have been dealing with a sophisticated and targeted spear phishing hack of my personal email account, and the personal email account belonging to one of my staff. These hacks are a criminal offence,” McDonald wrote on Twitter.

In an interview with the BBC, McDonald said that on 13 January 2023, he received an email on his private account from a member of staff, purporting to link to a password-protected document about the war in Ukraine.

The MP for Glasgow South has taken an interest in the Ukraine war, and has received the order of merit from the Ukrainian government, the BBC reported.

McDonald said he clicked on a link in the document and was taken to a web page that asked for his password, which he typed in. The password took McDonald to a blank page.

“These [spear phishing attacks] are highly sophisticated and deeply convincing. Having spoken with others who this has also happened to – most of whom have a heightened sense of cyber security and good practice – it’s easy to see how anyone can fall victim”

A few days later, the member of staff concerned reported that he had been locked out of his personal email and was having trouble regaining access to it because of suspicious activity on his account. The staff member also confirmed that he had not sent McDonald the suspicious email.

The incident occurred as the NCSC was preparing to publish new warnings of the activities of Seaborgium and of similar Iranian hacking groups. The NCSC confirmed to the BBC that it was investigating the incident.

“It became clear that the tactics used in this hack mirrored a recent NCSC advisory notice on spear phishing emails that target academia, defence, government organisations, NGOs, think tanks, as well as politicians, journalists and activists,” he wrote on Twitter.

“As was the case here, these attempts are highly sophisticated and deeply convincing. Having spoken with others who this has also happened to – most of whom have a heightened sense of cyber security and good practice – it’s easy to see how anyone can fall victim,” he added.

McDonald told the BBC that he had spoken out to limit the potential damage as he waits to see what the hackers do with the stolen material, and to warn others about the risks of phishing.

He said he had to assume that the hackers might publish some of the stolen information and were likely to modify some of the contents.

“I also don’t doubt that, in amongst some genuine emails, there will be emails that are entirely false. It’s an old tactic,” he wrote on Twitter.

It is also possible that the hacking group may have been more interested in finding out who he was communicating with and the contents of those communications than in leaking his correspondence, the MP said.

McDonald said that in some cases other victims he had spoken to have had their emails leaked, and in other cases they have not.

“I want to raise awareness and urge people to be extra vigilant,” he said.