Hackers with Russian Connections Target NGOs and Media in Eastern Europe
Non-governmental organizations from Russia and Belarus, independent media outlets in Russia, and global NGOs operating in Eastern Europe are the focus of two distinct spear-phishing campaigns carried out by threat actors aligned with the Russian government’s interests.
One of the campaigns, known as River of Phish, has been linked to COLDRIVER, a hostile group associated with Russia’s Federal Security Service (FSB). The other attacks have been attributed to a previously unknown threat group named COLDWASTREL.
The targets of these campaigns also include notable Russian opposition figures in exile, officials and scholars in US think tanks, and a former US ambassador to Ukraine, as per a collaborative investigation by Access Now and the Citizen Lab.
“Both types of attacks were finely crafted to deceive individuals within the targeted organizations,” Access Now stated. “The predominant attack method observed was emails sent from compromised or spoofed accounts resembling those of people known to the victims.”
River of Phish employs personalized and credible social engineering strategies to lure victims into clicking embedded links in PDF documents, leading them to a fake login page aimed at harvesting credentials and identifying infected hosts to prevent automated tools from accessing subsequent infrastructure.
The fraudulent emails are sent from Proton Mail accounts posing as familiar organizations or individuals known to the victims.
“We observed instances where the attacker sent an email without attaching a PDF file initially, prompting the recipient to review the ‘attached’ document,” as mentioned by the Citizen Lab report. “This tactic was likely intentional to enhance credibility, reduce detection risk, and filter for targets responsive to the initial contact (e.g., pointing out the missing attachment).”
The connection to COLDRIVER is reinforced by the utilization of PDF files that seem encrypted and convince victims to open them on Proton Drive by clicking a link, a method seen in previous attacks by the threat group.
Some social engineering elements are also present in COLDWASTREL’s tactics, notably the use of Proton Mail and Proton Drive to deceive targets into clicking on a link that redirects them to a fake login page (“protondrive[.]online” or “protondrive[.]services”) designed to mimic Proton. These attacks were first identified in March 2023.
However, COLDWASTREL deviates from COLDRIVER by employing lookalike domains for credential harvesting and variations in PDF content and metadata. The group responsible for this activity has not been identified at this stage.
“With low discovery costs, phishing remains not only an effective technique but also a means to pursue global targets while avoiding the exposure of more sophisticated (and costly) capabilities,” as outlined by the Citizen Lab.
About Author
