Introduction
Russian and Belarusian non-profit organizations, independent media in Russia, and international NGOs operating in Eastern Europe have recently been subjected to two separate spear-phishing campaigns. These cyber-attacks are believed to be linked to threat actors whose activities align with the interests of the Russian government. The campaigns, named "River of Phish" and "COLDWASTREL," have raised concerns due to their highly targeted nature and the involvement of adversarial groups with potential ties to Russia's Federal Security Service (FSB).
River of Phish: Tactics and Attribution
The first of the two campaigns, referred to as "River of Phish," has been attributed to the group known as COLDRIVER. This group is believed to have connections with the Russian FSB and has been involved in various cyber-espionage activities. River of Phish employs sophisticated social engineering techniques designed to deceive victims into clicking on malicious links. The attackers typically send emails from Proton Mail accounts, impersonating organizations or individuals familiar to the targets. These emails often contain a link to a seemingly encrypted PDF document. Once the victim clicks on the link, they are redirected to a credential harvesting page.
According to a joint investigation by Access Now and the Citizen Lab, the attackers used personalized emails to increase the likelihood of success. A notable tactic involved intentionally omitting the PDF attachment in the initial email, prompting the victim to respond and point out the missing file. This approach not only added credibility to the communication but also filtered out less engaged targets.
COLDWASTREL: A New Threat Cluster
The second campaign, codenamed "COLDWASTREL," represents a previously undocumented threat group. This group has also targeted Russian opposition figures in exile, U.S. officials, academics in think tanks, and a former U.S. ambassador to Ukraine. While COLDWASTREL shares some similarities with COLDRIVER, such as the use of Proton Mail and Proton Drive, it diverges in other key areas. For example, COLDWASTREL utilizes lookalike domains to harvest credentials and employs different content and metadata in its phishing attempts.
The campaign was first detected in March 2023, but the exact identity of the group behind COLDWASTREL remains unknown. Despite this, the threat posed by COLDWASTREL is significant due to its use of carefully crafted social engineering tactics and the targeting of high-profile individuals and organizations.
Conclusion
The River of Phish and COLDWASTREL spear-phishing campaigns highlight the persistent threat posed by state-aligned cyber actors. These campaigns demonstrate the evolving sophistication of phishing techniques and the strategic targeting of organizations and individuals critical of the Russian government. As long as the cost of conducting these phishing operations remains low, they will continue to be a preferred method for cyber-espionage, enabling attackers to gather sensitive information while minimizing the risk of exposing more advanced capabilities.
0 Comments