Russian and Belarusian non-profit organizations, Russian independent media, and international non-governmental organizations active in Eastern Europe have become the target of two separate spear-phishing campaigns orchestrated by threat actors whose interests align with that of the Russian government.
While one of the campaigns – dubbed River of Phish – has been attributed to COLDRIVER, an adversarial collective with ties to Russia’s Federal Security Service (FSB), the second set of attacks have been deemed the work of a previously undocumented threat cluster codenamed COLDWASTREL.
Targets of the campaigns also included prominent Russian opposition figures-in-exile, officials and academics in the US think tank and policy space, and a former U.S. ambassador to Ukraine, according to a joint investigation from Access Now and the Citizen Lab.
“Both kinds of attacks were highly tailored to better deceive members of the target organizations,” Access Now said. “The most common attack pattern we observed was an email sent either from a compromised account or from an account appearing similar to the real account of someone the victim may have known.”
River of Phish involves the use of personalized and highly-plausible social engineering tactics to trick victims into clicking on an embedded link in a PDF lure document, which redirects them to a credential harvesting page, but not before fingerprinting the infected hosts in a likely attempt to prevent automated tools from accessing the second-stage infrastructure.
The email messages are sent from Proton Mail email accounts impersonating organizations or individuals that were familiar or known to the victims.
“We often observed the attacker omitting to attach a PDF file to the initial message requesting a review of the ‘attached’ file,” the Citizen Lab said. “We believe this was intentional, and intended to increase the credibility of the communication, reduce the risk of detection, and select only for targets that replied to the initial approach (e.g. pointing out the lack of an attachment).”
The links to COLDRIVER are bolstered by the fact that the attacks use PDF documents that appear encrypted and urge the victims to open them in Proton Drive by clicking on the link, a ruse the threat actor has employed in the past.
Some of the social engineering elements also extend to COLDWASTREL, particularly in the use of Proton Mail and Proton Drive to trick targets into clicking on a link and taken them to a fake login page (“protondrive[.]online” or “protondrive[.]services”) for Proton. The attacks were first recorded in March 2023.
However, COLDWASTREL deviates from COLDRIVER when it comes to the use of lookalike domains for credential harvesting and due to differences in PDF content and metadata. The activity has not been attributed to a particular actor or country at this stage.
“When the cost of discovery remains low, phishing remains not only an effective technique, but a way to continue global targeting while avoiding exposing more sophisticated (and expensive) capabilities to discovery,” the Citizen Lab said.