Russian and Belarusian non-profit organizations, Russian independent media and international NGOs operating in Eastern Europe have been targeted by two separate phishing campaigns organized by threat actors whose interests align with those of the Russian government.
While one of the companies – named Fish River – was credited COLDRIVERby a controversial group linked to Russia’s Federal Security Service (FSB), a second series of attacks was recognized as the work of a previously undocumented threat cluster codenamed COLDWASTREL.
According to a joint investigation by Access Now and Citizen Lab, the campaigns also targeted prominent Russian opposition figures in exile, officials and academics from US think tanks and policy space, as well as the former US ambassador to Ukraine.
“Both types of attacks were specifically configured to better deceive members of the targeted organizations,” Access Now said. “The most common attack pattern we observed was an email sent either from a compromised account or from an account that looked like a real account of someone the victim might know.”
River of Phish involves using personalized and highly plausible social engineering tactics to get victims to click on an embedded link in a decoy PDF document that redirects them to a credential collection page, but not before fingerprinting the infected hosts in a likely attempt to prevent automated tools from accessing the second stage infrastructure.
The emails are sent from Proton Mail email accounts impersonating organizations or individuals known or known to the victims.
“We have often seen an attacker not attach a PDF file to the initial message requesting to view the ‘attached’ file,” Citizen Lab said. said. “We believe this was intentional and intended to increase the credibility of the message, reduce the risk of detection, and select only those targets who responded to the initial approach (eg, indicating a lack of attachment).”
The links to COLDRIVER are reinforced by the fact that the attacks use PDF documents that appear to be encrypted and prompt victims to open them in Proton Drive by clicking on the link, a trick the threat actor has used in the past.
Some of the social engineering elements also extend to COLDWASTREL, specifically the use of Proton Mail and Proton Drive to trick subjects into clicking a link and taking them to a fake login page (“protondrive(.)online” or “protondrive(. ) services”) for Proton. Attacks were first recorded in March 2023.
However, COLDWASTREL deviates from COLDRIVER when it comes to using similar domains to collect credentials and differences in PDF content and metadata. The activity has not been assigned to a specific actor at this stage.
“If the cost of detection remains low, phishing remains not only an effective technique, but also a way to continue global targeting while avoiding the disclosure of more sophisticated (and expensive) capabilities,” Citizen Lab said.
