Russian and Belarusian non-profit organizations, Russian impartial media, and worldwide non-governmental organizations lively in Japanese Europe have change into the goal of two separate spear-phishing campaigns orchestrated by risk actors whose pursuits align with that of the Russian authorities.
Whereas one of many campaigns – dubbed River of Phish – has been attributed to COLDRIVER, an adversarial collective with ties to Russia’s Federal Safety Service (FSB), the second set of assaults have been deemed the work of a beforehand undocumented risk cluster codenamed COLDWASTREL.
Targets of the campaigns additionally included distinguished Russian opposition figures-in-exile, officers and lecturers within the US assume tank and coverage area, and a former U.S. ambassador to Ukraine, based on a joint investigation from Entry Now and the Citizen Lab.
“Each sorts of assaults had been extremely tailor-made to raised deceive members of the goal organizations,” Entry Now stated. “The most typical assault sample we noticed was an electronic mail despatched both from a compromised account or from an account showing much like the actual account of somebody the sufferer could have identified.”
River of Phish includes using customized and highly-plausible social engineering techniques to trick victims into clicking on an embedded hyperlink in a PDF lure doc, which redirects them to a credential harvesting web page, however not earlier than fingerprinting the contaminated hosts in a possible try to forestall automated instruments from accessing the second-stage infrastructure.
The e-mail messages are despatched from Proton Mail electronic mail accounts impersonating organizations or people that had been acquainted or identified to the victims.
“We regularly noticed the attacker omitting to connect a PDF file to the preliminary message requesting a evaluate of the ‘hooked up’ file,” the Citizen Lab stated. “We imagine this was intentional, and meant to extend the credibility of the communication, scale back the chance of detection, and choose just for targets that replied to the preliminary method (e.g. declaring the shortage of an attachment).”
The hyperlinks to COLDRIVER are bolstered by the truth that the assaults use PDF paperwork that seem encrypted and urge the victims to open it in Proton Drive by clicking on the hyperlink, a ruse the risk actor has employed prior to now.
A number of the social engineering parts additionally lengthen to COLDWASTREL, significantly in using Proton Mail and Proton Drive to trick targets into clicking on a hyperlink and brought them to a pretend login web page (“protondrive[.]on-line” or “protondrive[.]providers”) for Proton. The assaults had been first recorded in March 2023.
Nonetheless, COLDWASTREL deviates from COLDRIVER in the case of using lookalike domains for credential harvesting and variations in PDF content material and metadata. The exercise has not been attributed to a specific actor at this stage.
“When the price of discovery stays low, phishing stays not solely an efficient method, however a method to proceed world focusing on whereas avoiding exposing extra refined (and costly) capabilities to discovery,” the Citizen Lab stated.
