Spear-phishing attacks targeting Russian and Belarusian non-profits, impartial media outlets, and international NGOs active in Eastern Europe were launched by malicious actors aligned with the interests of the Russian government.
While some attacks, such as the River of Phish campaign, have been linked to an adversarial group tied to Russia’s FSB, the second wave of assaults is attributed to a previously unknown threat actor dubbed COLDWASTREL.
Targets of the campaigns also encompassed prominent Russian dissidents living in exile, academics, and lecturers affiliated with top-tier American think tanks and media outlets, as well as a former U.S. Ambassador to Ukraine, according to a joint investigation by Entry Now and the Citizen Lab.
Every type of assault was meticulously designed to target specific vulnerabilities within the intended organizations. “The most prevalent phishing scenario we observed involved an email sent either from a compromised account or one that resembled the genuine account of someone the victim was familiar with.”
River of Phish leverages sophisticated, highly convincing social engineering tactics to trick victims into clicking on embedded hyperlinks within seemingly innocuous PDF files, ultimately redirecting them to a credential-harvesting webpage. Prior to this, the malware fingerprints the compromised hosts, likely attempting to prevent automated tools from accessing the subsequent infrastructure.
Phishing emails were sent from Proton Mail email accounts, masquerading as familiar organizations or individuals known to the victims.
Citizen Lab researchers observed that the attacker consistently failed to attach a PDF file to the initial message requesting an overview of the “hooked up” document. “We believe that this tactic was deliberately employed to enhance the credibility of the communication, reduce the likelihood of detection, and selectively target only those entities that responded to our initial approach.” Declaring the stark absence of an attachment.
The hyperlinks to COLDRIVER are strengthened by the fact that the attacks employ seemingly encrypted PDF documents that prompt victims to open them in Proton Drive upon clicking the link, a tactic previously used by the threat actor.
Among the social engineering tactics employed by COLDWASTREL, particularly notable is the utilization of Proton Mail and Proton Drive to deceive targets into clicking on a hyperlink, subsequently redirecting them to a fake login page (“protondrive.onion” or “protondrive.providers”) designed to mimic official Proton portals. The initial reports of assaults emerged in March 2023.
Notwithstanding their shared focus, COLDWASTREL diverges from COLDRIVER in its approach to leveraging lookalike domains for credential gathering and manipulating PDFs’ content and metadata. As no specific actor has yet been assigned to perform in the exercise.
“When prices for detection remain relatively low, phishing remains a cost-effective means to target globally without risking exposure of more sophisticated and expensive tactics,” the Citizen Lab noted.
