Russian-aligned cyber espionage squads [1], Coldriver and Coldwastrel [1] [5] [6] [9], have been conducting a sophisticated spear phishing campaign against Western and Russian civil society entities for two years [1].

Description

Coldriver [1] [3] [4] [5] [6] [8] [9], also known as Star Blizzard and Blue Callisto [3], is believed to be affiliated with Russia’s Federal Security Service (FSB) and has targeted prominent Russian opposition figures in exile, media organization funders [1] [2] [3] [4] [9], and staff at US and European NGOs [1]. The campaign, dubbed the River of Phish campaign [3], involves personalized social engineering tactics to gain access to online accounts [4] [11]. Coldwastrel [1] [2] [3] [5] [6] [8] [9], a newly discovered group [1], also aligned with Russian security services [3], targets individuals with connections to Russia [3], Ukraine [2] [3] [5] [6] [9] [10], or Belarus [3] [9], including Russian opposition figures and those connected to them [3]. Both campaigns are part of Russian cyber espionage efforts [8], with Coldriver believed to work for the FSB and Coldwastrel thought to be working for a different Russian agency. Indicators of these campaigns are being shared with email providers to help track and block them [11]. The attacks have targeted Russian opposition politicians [5], human rights activists [5], NGO workers [5], media personnel [5], and charities [5], as well as their Belarusian and Western counterparts [5]. Coldwastrel has been identified in attacks targeting the Russian rights organization First Department [5]. Some of the phishing targets include former US Ambassador to Ukraine Steven Pifer and the independent investigative news outlet Proekt [5]. The phishing attacks involve emails containing encrypted PDF documents sent from addresses impersonating a target’s colleague [5], allowing hackers to gain access to email correspondences and other files on their accounts [5]. Access Now warned that these attacks could be harmful [5], particularly to Russian and Belarusian organizations and independent media [5]. The campaigns targeted individuals between April and June 2024 (Coldriver) and from October 2022 to August 2024 (Coldwastrel), with high-risk individuals within Russia being the main targets. Russian government-connected hackers targeted Eastern European human rights-focused groups [10], media outlets [10], and a former US ambassador to Ukraine with crafty email spear-phishing lures [10]. Despite being named and shamed [10], Russian threat actors continue their hacking activities [10], showing a persistence in Kremlin-linked hacking campaigns [10]. The attacks demonstrate a high level of social engineering and a relentless targeting of individuals viewed as threats by the Russian government [10]. The River of Phish campaign [3], believed to be run by the Coldriver group linked to the Russian Federal Security Service [4], has also impersonated US government personnel [4], suggesting potential compromises within the US government [4]. Hackers linked to Russian intelligence have been targeting Kremlin critics globally through a phishing campaign [2], as revealed by research from Citizen Lab and Access Now [2]. This operation [2], part of a broader internet espionage effort [2], has been ongoing since around 2022 and has focused on prominent Russian opposition figures [2], former US officials [2] [3] [4] [6], academics [2] [4] [6], nonprofit staff [2], and media organizations [1] [2] [3] [4] [5] [9]. The phishing emails impersonate known individuals to appear more authentic [2], with the malicious attachments leading to fake login pages where victims unwittingly provide their credentials [2]. The hacking has been attributed to two groups: Cold River [2], associated with Russia’s FSB [2], and Coldwastrel [1] [2] [5] [6] [8] [9], a new group supporting Russian intelligence [2]. The targets, mainly high-risk individuals within Russia [2] [6], face serious consequences if compromised [2] [6], such as imprisonment [2]. Cold River [2] [6] [8], a prolific hacking group [2], has intensified its activities against Ukraine’s allies following the invasion of Ukraine [2], with some members sanctioned by US and British officials in December [2]. Spear phishing involves personalized attacks using tailored information [7]. These threat actors are likely still targeting civil society with spear phishing and other techniques [7].

Conclusion

The impacts of these cyber espionage campaigns are significant, with potential harm to Russian and Belarusian organizations and independent media [5]. Mitigations include sharing indicators with email providers to track and block attacks. Future implications suggest a continued threat to civil society from Russian-aligned cyber espionage groups.

References

[1] https://www.infosecurity-magazine.com/news/russia-fsb-spearphishing-espionage/
[2] https://www.aol.com/news/russias-critics-targeted-global-hacking-120613203.html
[3] https://www.theglobeandmail.com/business/article-u-of-t-lab-ties-russian-hacking-group-coldriver-to-cyberattack/
[4] https://siliconangle.com/2024/08/15/russian-state-sponsored-phishing-campaign-targets-western-ngos-diplomats/
[5] https://www.themoscowtimes.com/2024/08/14/fsb-linked-phishing-campaign-targets-russian-activists-independent-media-a86020
[6] https://uk.pcmag.com/security/153896/russia-backed-hackers-target-human-rights-groups-with-sophisticated-emails
[7] https://www.accessnow.org/russian-phishing-campaigns/
[8] https://www.washingtonpost.com/technology/2024/08/14/russian-phishing-human-rights-organizations/
[9] https://www.forbes.com/sites/emmawoollacott/2024/08/14/russia-linked-phishing-attacks-targeted-ngos-and-ex-us-ambassador/
[10] https://cyberscoop.com/russian-hacking-campaign-targets-rights-groups-media-former-us-ambassador/
[11] https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/