Overview
COLDWASTREL, also known by the moniker White Dev 185, is a highly sophisticated and persistent cyber espionage group that has been active for several years. This threat actor primarily focuses on targeting non-governmental organizations (NGOs), government entities, and organizations involved in politically sensitive matters, often leveraging social engineering and credential-stealing techniques. Their operations are characterized by a careful selection of victims and a focus on long-term, covert campaigns. While their activities are often difficult to trace, the group’s methods and tactics have been carefully analyzed by cybersecurity experts, revealing a high degree of technical proficiency and operational planning.
COLDWASTREL’s campaigns typically involve spear-phishing attacks, where victims are lured into opening malicious attachments, such as PDFs, that contain
malware. These attacks are often disguised as legitimate communications, making it challenging for victims to recognize the threat. Once malware is executed,
COLDWASTREL gains unauthorized access to the victim’s network, enabling the theft of sensitive data and the escalation of their control over the system. This process of carefully planned infiltration and data exfiltration is indicative of the group’s broader espionage goals, with a particular interest in sensitive or classified information related to geopolitical developments.
Common targets
Individuals
Information
Public Administration
Ukraine
Attack Vectors
Phishing
How they operate
One of the most prominent techniques used by COLDWASTREL is spear-phishing, often conducted through emails that contain malicious attachments such as PDFs. These emails are crafted to appear legitimate, often mimicking communications from trusted sources. When the victim opens the attachment, malware is deployed, typically granting the attacker access to the victim’s network. This initial access allows COLDWASTREL to establish a foothold within the victim’s infrastructure, often going undetected for long periods. The malware deployed in these attacks is sophisticated, capable of evading detection by common security tools and allowing the attacker to remain hidden within the network.
Once inside the victim’s system, COLDWASTREL deploys a variety of tactics to escalate privileges and maintain persistence. The group frequently uses a combination of custom malware and legitimate-looking tools to perform these actions. These tools enable the attackers to move laterally within the network, escalating their privileges and compromising additional systems. Their focus on stealth and persistence is reflected in their use of domain names that mimic legitimate services, such as ProtonMail and cloud storage platforms. This deceptive infrastructure makes it difficult for victims to identify the threat, as the malicious domains are designed to appear authentic and blend seamlessly with normal network traffic.
The group also makes extensive use of diverse infrastructure to avoid detection. COLDWASTREL operates a wide range of domains, many of which use themes related to legitimate services like ProtonDrive, Facebook, and various email platforms. These domains serve as command-and-control (C2) channels, enabling the attackers to maintain communication with the compromised systems and exfiltrate data without raising alarms. The domains are hosted on servers located in multiple countries, including Romania, Finland, Serbia, and the Netherlands, which complicates efforts to track the group’s activities. The group’s preference for using multiple hosting providers, including EstNOC OY and MivoCloud, further enhances their ability to evade detection and stay operational even if some of their infrastructure is taken down.
Another significant technical aspect of COLDWASTREL’s operations is their ability to target specific regions and organizations. For example, many of their malicious domains are associated with Ukraine, suggesting that their campaigns may be tied to geopolitical events or state-sponsored efforts. This focus on politically sensitive targets allows the group to gather valuable intelligence and disrupt operations that could have significant global implications. By leveraging their technical expertise and access to a broad network of resources, COLDWASTREL has been able to execute sophisticated cyber espionage campaigns that have gone undetected for years.
In conclusion, COLDWASTREL’s technical operations are marked by a blend of sophisticated malware, advanced phishing tactics, and deceptive infrastructure. Their ability to infiltrate networks, maintain persistence, and exfiltrate sensitive data positions them as a significant threat to organizations involved in politically sensitive activities. The group’s operations demonstrate a high level of technical sophistication, and their continued activity highlights the growing need for organizations to invest in advanced security measures to defend against such targeted and persistent attacks. As the threat landscape continues to evolve, COLDWASTREL remains one of the most formidable cyber espionage groups operating today.
