Russian and Belarusian non-profit organizations, independent Russian media, and European international NGOs have faced two separate spear-phishing attacks. These attacks seem to match the Russian government’s interests.
The first campaign, called River of Phish, has links to COLDRIVER, a group connected to Russia’s Federal Security Service (FSB). The second relates to a new threat group named COLDWASTREL.
The attackers targeted well-known Russian opposition members living abroad, U.S. officials, think tank academics, and a former Ukraine ambassador. Access Now and the Citizen Lab uncovered this info through a joint study.
Both attack types were designed to fool members of the targeted organizations. Access Now reported, “The most common attack pattern we observed involved an email sent from either a compromised account or one that resembles a real account from someone familiar to the victim.”
River of Phish uses tailored social engineering methods. It tries to get victims to click links in PDF bait documents. These links redirect them to the credential harvesting page and also track infected computers. This helps stop automated tools from finding their backup systems.
The email messages are sent from Proton Mail email accounts, impersonating organizations or individuals that werefamiliar or known to the victims. The citizen lab observed that the attacker skip attaching a PDF file to the initial message requesting a review of the ‘attached’ file.
COLDRIVER-linked websites use PDF files that look encrypted to back up their claims. These threat actors push victims to open these files in Proton Drive by clicking on given links—a trick this group has used before.
COLDWASTREL has used some social engineering tricks too. They also used Proton Mail & Drive to trick victims into clicking fake login pages like “protondrive[.]online” or “protondrive[.]services.” Experts first spotted these attacks in March 2023.
But COLDWASTREL differs from COLDRIVER in how they harvest credentials through similar-looking domains. TheirPDF content and metadata are also different. Right now, no one knows who’s behind this activity.
The Citizen Lab said, “When the likelihood of discovery is low, phishing remains effective—it’s a method for global targeting without revealing more sophisticated (and costly) capabilities.”
