Russian and Belarusian non-profit organizations, Russian unbiased media, and worldwide non-governmental organizations lively in Japanese Europe have change into the goal of two separate spear-phishing campaigns orchestrated by menace actors whose pursuits align with that of the Russian authorities.
Whereas one of many campaigns – dubbed River of Phish – has been attributed to COLDRIVER, an adversarial collective with ties to Russia’s Federal Safety Service (FSB), the second set of assaults have been deemed the work of a beforehand undocumented menace cluster codenamed COLDWASTREL.
Targets of the campaigns additionally included distinguished Russian opposition figures-in-exile, officers and teachers within the US suppose tank and coverage area, and a former U.S. ambassador to Ukraine, in keeping with a joint investigation from Entry Now and the Citizen Lab.
“Both kinds of attacks were highly tailored to better deceive members of the target organizations,” Entry Now mentioned. “The most common attack pattern we observed was an email sent either from a compromised account or from an account appearing similar to the real account of someone the victim may have known.”
River of Phish entails using customized and highly-plausible social engineering ways to trick victims into clicking on an embedded hyperlink in a PDF lure doc, which redirects them to a credential harvesting web page, however not earlier than fingerprinting the contaminated hosts in a probable try to forestall automated instruments from accessing the second-stage infrastructure.
The e-mail messages are despatched from Proton Mail e mail accounts impersonating organizations or people that had been acquainted or identified to the victims.
“We often observed the attacker omitting to attach a PDF file to the initial message requesting a review of the ‘attached’ file,” the Citizen Lab mentioned. “We believe this was intentional, and intended to increase the credibility of the communication, reduce the risk of detection, and select only for targets that replied to the initial approach (e.g. pointing out the lack of an attachment).”
The hyperlinks to COLDRIVER are bolstered by the truth that the assaults use PDF paperwork that seem encrypted and urge the victims to open it in Proton Drive by clicking on the hyperlink, a ruse the menace actor has employed previously.
Among the social engineering parts additionally prolong to COLDWASTREL, significantly in using Proton Mail and Proton Drive to trick targets into clicking on a hyperlink and brought them to a faux login web page (“protondrive[.]online” or “protondrive[.]services”) for Proton. The assaults had been first recorded in March 2023.
Nevertheless, COLDWASTREL deviates from COLDRIVER in the case of using lookalike domains for credential harvesting and variations in PDF content material and metadata. The exercise has not been attributed to a specific actor at this stage.
“When the cost of discovery remains low, phishing remains not only an effective technique, but a way to continue global targeting while avoiding exposing more sophisticated (and expensive) capabilities to discovery,” the Citizen Lab mentioned.
