Two Russia-linked threat actors have been observed targeting multiple entities perceived as Russia’s enemies in two spear-phishing campaigns, Access Now and Citizen Lab report.
The attacks have been ongoing since at least the beginning of 2023, with several international NGOs receiving phishing emails impersonating a staff member using the Proton email service. The member’s email account had previously been targeted in October 2022.
According to Access Now, the threat actors are continuing their assaults and, as of August 2024, members of previously targeted organizations are still receiving phishing emails.
Targets include media organizations, Russian opposition figures in exile, staff at NGOs in the US and Europe, funders, and former officials and academics in the US think tank and policy space.
The common link between the targets is their focus on Russia, Ukraine, or Belarus, with some of the targets still living or working in Russia. Polina Machold, publisher of Proekt Media, which reports on corruption and abuses of power in Russia and was declared an ‘undesirable organization’ in the country, is one of the targets.
“We judge that these targets may have been selected for their extensive networks among sensitive communities, such as high-risk individuals within Russia. For some, successful compromise could result in extremely serious consequences, such as imprisonment or physical harm to themselves or their contacts,” Citizen Lab notes.
The total number of targets, Citizen Lab says, is likely much larger, and could include the US government, given previous reporting on one of the threat actors behind the attacks (Coldriver), and that US government personnel has been impersonated in these attacks.
Active since at least 2015 and also known as BlueCharlie, Callisto, Seaborgium, Star Blizzard, and TA446, Coldriver is believed to be a subordinate of Russia’s intelligence agency, the Federal Security Service (FSB).
The second threat actor involved in these phishing campaigns, referred to as Coldwastrel, appears to be new to the threat landscape, albeit active pre-2024 as well. Coldwastrel’s targeting appears to align with the interests of the Russian government.
The threat actors were seen delivering effectively personalized spear-phishing emails to their targets, often impersonating colleagues, funders, and US government employees, and often engaging in additional communication following the initial message.
Often the attackers omitted to include a PDF attachment in their phishing emails, albeit they were instructing the target to review the attachment.
The lure PDF files purported to be encrypted using a privacy-focused online service and displayed blurred text when opened, along with a link to decrypt or access the file. The impersonated encryption, however, is different from these lures, which Citizen Lab refers to as the River of Phish.
If the victim clicked on the phishing link, their browser fetched JavaScript code from a remote server to fingerprint their systems. For targets deemed of interest, the attack continued with a redirection to a phishing page impersonating their email service and often pre-populated with the victim’s email address.
Should the victim provide their password and second factor authentication, the attackers would use them to complete the login and retrieve a session cookie for the account, which provided them with access to the victim’s account for a while, without having to re-authenticate.
“We did not directly observe the second stage of the attack or the credentials being passed back to the attacker’s infrastructure; however, based on the targets’ descriptions of the login page it is likely that the attackers leveraged a tool that is specifically designed to capture user credentials and enable unauthorized access,” Citizen Lab notes.
As part of the observed campaigns, the attackers used domains registered with Hostinger, which rotates the IPs for these domains every 24 hours. The domains did not remain operational for more than 30 days.
Some of the targeted entities, Citizen Lab says, were likely the focus of multiple threat actors, and might have been targeted with malware as well, although Coldriver did not use malware in these phishing attacks.
Individuals who believe they might have been targeted with similar phishing attempts are encouraged to improve the security of their email accounts with correct multi-factor authentication settings and enrollment in programs for high-risk users, and to contact Access Now’s Digital Security Helpline for help.
Related: US Sanctions Russian Hacktivists for Targeting Critical Infrastructure
Related: US Disrupts AI-Powered Russian Bot Farm on X
Related: US, Russia Accuse Each Other of Potential Election Cyberattacks
Related: HPE Says Russian Government Hackers Had Access to Emails for 6 Months
