Media, activists, former US diplomat were on Russia-aligned phishing campaigns' hit lists

Researchers are tracking two Russia-aligned phishing campaigns that targeted human rights organizations, independent media and civil society members from Eastern Europe and the U.S.

Technical evidence suggests the perpetrators are “close to the Russian regime,” according to a report released Wednesday by digital rights nonprofit Access Now and digital forensic researchers at The Citizen Lab. 

A group previously tracked as Coldriver and a newly identified operation labeled Coldwastrel are responsible, the report says.

The hackers sent malicious emails using Proton Mail addresses to impersonate organizations or individuals familiar to the victims. The emails contained locked PDF documents with a malicious link that purported to unlock them, but instead led to fake login pages designed to collect victims’ passwords and two-factor authentication codes, among other data.

In a comment to Recorded Future News, Access Now stated that the researchers haven’t observed any malware being deployed in the attacks.

“It looks like the focus of these attackers was to gain account access, not control of the device,” said Natalia Krapiva, senior tech legal counsel at Access Now.

The targets include Russian and Belarusian human rights organizations and Russian independent media outlets, such as Proekt, which investigates and reports on human rights violations, corruption and repression.

The hackers aimed their emails at a U.S.-based human rights organization and at least one former U.S. diplomat — Steven Pifer, a William Perry Research Fellow at Stanford’s Center for International Security and Cooperation and a former U.S. ambassador to Ukraine.

“While some targets told us that they did not engage with the phishing emails described in the two attacks, others were deceived into entering their user credentials,” researchers said, without specifying who fell victim to the attacks.

“Even though we did not directly observe credentials being passed back to the attackers’ infrastructure, it is likely that attackers were able to gain unauthorized access to some victims’ email accounts.”

If successful, such attacks could be “enormously harmful,” particularly to Russian and Belarusian organizations and independent media, since their email accounts are likely to contain sensitive information about their staff’s identities, activities, relationships and whereabouts, researchers said.

According to Krapiva, the hackers could use the obtained information to find new victims, designate people as "foreign agents" or "undesirable” — as practiced in Russia — surveil these individuals physically, or install malware on their or their contacts' devices in the future. They could even use this information to poison or assassinate people. “There is really no limit,” she added.

Coldwastrel and Coldriver 

The phishing campaigns were carried out between October 2022 and this month, the report said. It is not yet clear if the two threat actors are linked.

The activity of Coldwastrel hasn’t been reported before. Researchers believe that this threat actor may be aligned with or close to the Russian regime, as it aims email lures at people who could be of interest to the Kremlin; has a profound understanding of the regional context and the targetsʼ work; and makes highly personalized attempts to breach accounts. 

The report’s authors said, however, that they could not yet tie Coldwastrel directly to any nation-state.

Coldriver’s phishing campaign employs more sophisticated techniques to obscure its intentions and make the malicious code harder to analyze, according to the report.

The group’s activity was first discovered by Google in 2022. Coldriver is known for targeting high-profile individuals, former intelligence and military officers, and NATO governments. Google reported that the group’s espionage activity aligns with the interests of the Russian government.

In a campaign in January, Coldriver went beyond phishing for credentials and delivered malware, which researchers named Spica, to victims’ systems.

The latest attacks by both threat actors were “highly tailored” to better deceive members of the target organizations, researchers said.

The emails created by the hackers were personalized to present scenarios that the individuals or their organizations might feasibly encounter in their daily work, mentioning topics such as event planning or financial discussions.

“It is likely that these threat actors or their sponsor organizations are still targeting civil society with spear phishing and other techniques,” researchers added.