Russian and Belarusian non-profit organizations, as well as independent media outlets in Russia and international NGOs operating in Eastern Europe, have recently become targets of sophisticated spear-phishing campaigns. These attacks are linked to threat actors with connections to the Russian government, specifically two groups identified as COLDRIVER and COLDWASTREL. The cyber espionage activities are aimed at gathering sensitive information from these organizations and individuals.
The first campaign, dubbed “River of Phish,” is attributed to COLDRIVER, a collective with ties to Russia’s Federal Security Service (FSB). This operation employs highly personalized social engineering tactics. Victims receive emails from compromised or spoofed accounts, often appearing to be from known contacts or organizations. The emails contain deceptive PDF attachments that redirect recipients to credential-harvesting pages, carefully designed to avoid detection by automated security tools. This method also includes fingerprinting infected hosts to protect the attack’s infrastructure.
The second set of attacks involves COLDWASTREL, a previously undocumented threat group. While sharing some similarities with COLDRIVER’s tactics, COLDWASTREL distinguishes itself by using lookalike domains and variations in PDF content for credential harvesting. The group employs similar social engineering techniques, utilizing Proton Mail and Proton Drive to enhance the credibility of their phishing attempts. This group first appeared in March 2023 and has since adapted its methods to evade detection.
Both campaigns highlight the persistent and evolving nature of phishing attacks, particularly when targeting high-profile individuals and sensitive organizations. As phishing remains a cost-effective technique for cyber espionage, the Citizen Lab’s report underscores the need for heightened vigilance and robust security measures to counter these sophisticated threats and protect sensitive information from being compromised.
Reference:
