Russian and Belarusian non-profit organizations, Russian unbiased media, and worldwide non-governmental organizations lively in Japanese Europe have turn into the goal of two separate spear-phishing campaigns orchestrated by menace actors whose pursuits align with that of the Russian authorities.
Whereas one of many campaigns – dubbed River of Phish – has been attributed to COLDRIVER, an adversarial collective with ties to Russia’s Federal Safety Service (FSB), the second set of assaults have been deemed the work of a beforehand undocumented menace cluster codenamed COLDWASTREL.
Targets of the campaigns additionally included outstanding Russian opposition figures-in-exile, officers and teachers within the US suppose tank and coverage area, and a former U.S. ambassador to Ukraine, in keeping with a joint investigation from Entry Now and the Citizen Lab.
“Each sorts of assaults have been extremely tailor-made to raised deceive members of the goal organizations,” Entry Now mentioned. “The commonest assault sample we noticed was an e mail despatched both from a compromised account or from an account showing much like the true account of somebody the sufferer could have identified.”
River of Phish includes using personalised and highly-plausible social engineering ways to trick victims into clicking on an embedded hyperlink in a PDF lure doc, which redirects them to a credential harvesting web page, however not earlier than fingerprinting the contaminated hosts in a possible try to stop automated instruments from accessing the second-stage infrastructure.
The e-mail messages are despatched from Proton Mail e mail accounts impersonating organizations or people that have been acquainted or identified to the victims.
“We regularly noticed the attacker omitting to connect a PDF file to the preliminary message requesting a evaluation of the ‘connected’ file,” the Citizen Lab mentioned. “We consider this was intentional, and supposed to extend the credibility of the communication, cut back the chance of detection, and choose just for targets that replied to the preliminary method (e.g. declaring the dearth of an attachment).”
The hyperlinks to COLDRIVER are bolstered by the truth that the assaults use PDF paperwork that seem encrypted and urge the victims to open it in Proton Drive by clicking on the hyperlink, a ruse the menace actor has employed previously.
A few of the social engineering parts additionally lengthen to COLDWASTREL, significantly in using Proton Mail and Proton Drive to trick targets into clicking on a hyperlink and brought them to a faux login web page (“protondrive[.]on-line” or “protondrive[.]companies”) for Proton. The assaults have been first recorded in March 2023.
Nonetheless, COLDWASTREL deviates from COLDRIVER in the case of using lookalike domains for credential harvesting and variations in PDF content material and metadata. The exercise has not been attributed to a selected actor at this stage.
“When the price of discovery stays low, phishing stays not solely an efficient approach, however a strategy to proceed world focusing on whereas avoiding exposing extra subtle (and costly) capabilities to discovery,” the Citizen Lab mentioned.
