Russian-Related Hackers Aim Eastern European Nonprofits and Journalism
Non-governmental organizations from Russia and Belarus, Russian autonomous media entities, and international non-governmental organizations operating in Eastern Europe have become the focal point of two distinct spear-phishing initiatives orchestrated by threat actors whose agendas align with that of the Russian administration.
While one of the initiatives – known as River of Phish – has been linked to COLDRIVER, an adversarial collective affiliated with Russia’s Federal Security Service (FSB), the second wave of attacks has been identified as the handiwork of an unknown threat cluster labeled COLDWASTREL.
The targets of these campaigns also encompassed notable Russian dissidents living abroad, officials and scholars affiliated with American think tanks and policymaking circles, and a former United States ambassador to Ukraine, as per a collaborative investigation by Access Now and the Citizen Lab.
“Both forms of attacks were meticulously customized to ensnare members of the targeted organizations,” Access Now stated. “The prevalent pattern of attack we noticed involved emails either sent from a compromised account or from an account that appeared to be similar to that of a known contact of the victim.”
River of Phish employs tailored and realistic social engineering techniques to deceive victims into clicking on an embedded link in a PDF bait document, which directs them to a page for harvesting credentials, while also fingerprinting the hijacked hosts in a probable bid to block automated tools from accessing the next-level infrastructure.
The fraudulent email communications are dispatched from Proton Mail email accounts masquerading as entities or individuals known or familiar to the recipients.
“We frequently witnessed the attacker refraining from attaching a PDF document to the initial message requesting a review of the ‘attached’ file,” the Citizen Lab mentioned. “We suspect this was intentional, aimed at enhancing the credibility of the communication, reducing the likelihood of detection, and singling out only those targets that responded to the initial contact (e.g., pointing out the absence of an attachment).”
The associations with COLDRIVER are reinforced by the fact that the attacks leverage PDF files that appear encrypted and prompt the targets to access them on Proton Drive by clicking a link, a stratagem previously used by the threat actor.
Some of the manipulative tactics also extend to COLDWASTREL, particularly in the usage of Proton Mail and Proton Drive to deceive targets into clicking on a link redirecting them to a fake login page (“protondrive[.]online” or “protondrive[.]services”) for Proton. The assaults were initially documented in March 2023.
Nevertheless, COLDWASTREL differs from COLDRIVER in its employment of deceptive domains for credential harvesting and disparities in PDF content and metadata. The responsibility for these activities remains unidentified at this juncture.
“As long as the risk of exposure remains low, phishing continues to be not only an effective method but also a means to sustain global targeting while evading the unveiling of more advanced (and costly) capabilities,” asserted the Citizen Lab.
About Author
