Russian-Connected Hackers Target NGOs and Media in Eastern Europe
Non-governmental organizations from Russia and Belarus, independent media entities in Russia, as well as international non-profit groups operating in Eastern Europe, have been singled out for attack by two distinct spear-phishing initiatives led by threat actors sharing interests with the Russian government.
One of the campaigns, known as River of Phish, has been linked to COLDRIVER, an adversarial unit affiliated with Russia’s Federal Security Service (FSB), while the other series of strikes have been attributed to an uncategorized threat group named COLDWASTREL.
The targets of these campaigns also encompassed prominent Russian opposition figures residing overseas, U.S. think tank scholars and policymakers, and a former U.S. ambassador to Ukraine, as per a collaborative inquiry by Access Now and the Citizen Lab.
“Both types of attacks were intricately crafted to mislead members of the target organizations,” Access Now stated. “The predominant attack approach observed entailed sending an email either from a breached account or from a fake account closely resembling that of someone familiar to the victim.”
River of Phish employs personalized and believable social engineering strategies to deceive victims into clicking on a link embedded in a PDF lure, redirecting them to a page where credentials are harvested, all while profiling the contaminated hosts possibly to thwart automated tools from reaching the secondary-stage infrastructure.
The fraudulent emails are dispatched from Proton Mail addresses impersonating organizations or known individuals to the victims.
“The attacker frequently neglected to attach a PDF file to the initial email requesting review of the ‘attached’ document,” the Citizen Lab explained. “We believe this was intentional to enhance communication credibility, reduce detection risks, and specifically focus on individuals who responded to the initial contact (e.g., pointing out the absence of an attachment).”
Connections to COLDRIVER are reinforced by the use of PDF files seemingly encrypted in the assaults, prompting victims to access them on Proton Drive by following a link, a tactic previously employed by the threat actor.
Similar social engineering tactics are also observed with COLDWASTREL, especially in the use of Proton Mail and Proton Drive to lure targets into clicking a link redirecting them to a counterfeit login page (“protondrive[.]online” or “protondrive[.]services”) for Proton. These aggressions were first detected in March 2023.
Nonetheless, COLDWASTREL diverges from COLDRIVER in its employment of imitated domains for collecting credentials and distinctions in PDF content and metadata. The responsible entity for this activity remains unidentified at this stage.
“Given the ease of discovery, phishing remains not only a successful tactic but also a viable method to persist international targeting operations without risking detection of more advanced (and costly) capabilities,” as stated by the Citizen Lab.
About Author
