Media, activists, former US diplomat were on Russia-aligned phishing campaigns’ hit lists

Avatar

Researchers are tracking two Russia-aligned phishing campaigns that targeted human rights organizations, independent media and civil society members from Eastern Europe and the U.S.

Technical evidence suggests the perpetrators are “close to the Russian regime,” according to a report released Wednesday by digital rights nonprofit Access Now and digital forensic researchers at The Citizen Lab. 

A group previously tracked as Coldriver and a newly identified operation labeled Coldwastrel are responsible, the report says.

The hackers sent malicious emails using Proton Mail addresses to impersonate organizations or individuals familiar to the victims. The emails contained locked PDF documents with a malicious link that purported to unlock them, but instead led to fake login pages designed to collect victims’ passwords and two-factor authentication codes, among other data.

In a comment to Recorded Future News, Access Now stated that the researchers haven’t observed any malware being deployed in the attacks.

“It looks like the focus of these attackers was to gain account access, not control of the device,” said Natalia Krapiva, senior tech legal counsel at Access Now.

The targets include Russian and Belarusian human rights organizations and Russian independent media outlets, such as Proekt, which investigates and reports on human rights violations, corruption and repression.

The hackers aimed their emails at a U.S.-based human rights organization and at least one former U.S. diplomat — Steven Pifer, a William Perry Research Fellow at Stanford’s Center for International Security and Cooperation and a former U.S. ambassador to Ukraine.

“While some targets told us that they did not engage with the phishing emails described in the two attacks, others were deceived into entering their user credentials,” researchers said, without specifying who fell victim to the attacks.

“Even though we did not directly observe credentials being passed back to the attackers’ infrastructure, it is likely that attackers were able to gain unauthorized access to some victims’ email accounts.”

If successful, such attacks could be “enormously harmful,” particularly to Russian and Belarusian organizations and independent media, since their email accounts are likely to contain sensitive information about their staff’s identities, activities, relationships and whereabouts, researchers said.

According to Krapiva, the hackers could use the obtained information to find new victims, designate people as “foreign agents” or “undesirable” — as practiced in Russia — surveil these individuals physically, or install malware on their or their contacts’ devices in the future. They could even use this information to poison or assassinate people. “There is really no limit,” she added.

The phishing campaigns were carried out between October 2022 and this month, the report said. It is not yet clear if the two threat actors are linked.

The activity of Coldwastrel hasn’t been reported before. Researchers believe that this threat actor may be aligned with or close to the Russian regime, as it aims email lures at people who could be of interest to the Kremlin; has a profound understanding of the regional context and the targetsʼ work; and makes highly personalized attempts to breach accounts. 

The report’s authors said, however, that they could not yet tie Coldwastrel directly to any nation-state.

Coldriver’s phishing campaign employs more sophisticated techniques to obscure its intentions and make the malicious code harder to analyze, according to the report.

The group’s activity was first discovered by Google in 2022. Coldriver is known for targeting high-profile individuals, former intelligence and military officers, and NATO governments. Google reported that the group’s espionage activity aligns with the interests of the Russian government.

In a campaign in January, Coldriver went beyond phishing for credentials and delivered malware, which researchers named Spica, to victims’ systems.

The latest attacks by both threat actors were “highly tailored” to better deceive members of the target organizations, researchers said.

The emails created by the hackers were personalized to present scenarios that the individuals or their organizations might feasibly encounter in their daily work, mentioning topics such as event planning or financial discussions.

“It is likely that these threat actors or their sponsor organizations are still targeting civil society with spear phishing and other techniques,” researchers added.

Nation-stateNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

DARPA awards $14 million to semifinal winners of AI code review competition

Next Post

Biotech company hacked in 2023 pays states $4.5 million over breached data

Related Posts

TrickMo Banking Trojan Can Now Capture Android PINs and Unlock Patterns

New variants of an Android banking trojan called TrickMo have been found to harbor previously undocumented features to steal a device's unlock pattern or PIN. "This new addition enables the threat actor to operate on the device even while it is locked," Zimperium security researcher Aazim Yaswant said in an analysis published last week. First spotted in the wild in 2019, TrickMo is so named for
Avatar
Read More