Spear-Phishing Campaigns Target Russian, Belarusian Groups
As per recent reports, various Russian and Belarusian organizations have been targets of spear-phishing campaigns. These organizations belong to the non-profit, media, and international government sectors. Threat actors who orchestrated these spear-phishing campaigns appear to have interests that align with the Russian government. In this article, we’ll dive into these Russian cyber attacks and uncover the details. Let’s begin!
Spear-Phishing Campaigns: Threat Actors And Targets
According to the information available, one of the two campaigns has been attributed to COLDRIVER. The COLDRIVER threat actor is an online adversary known to have ties with Russia’s Federal Security Service (FBS). The COLDWASTREL threat cluster is assumed to be responsible for the second set of attacks.
Apart from the organization mentioned above, other targets of the spear-phishing campaigns include in-exile figures that oppose Russia, United States (US) think tanks and policy space officials, and former US ambassador to Ukraine. Providing detail about the attacks and the targets, Access Now, a not-for-profit digital civil rights organization, has stated that:
“Both kinds of attacks were highly tailored to better deceive members of the target organizations. The most common attack pattern we observed was an email sent either from a compromised account or from an account appearing similar to the real account of someone the victim may have known.”
Russian Cyber Attacks: Tools And Techniques
As far as the attack tactics are concerned, these spear-phishing campaigns rely on the use of social engineering methods. To attack targeted victims, a PDF file is embedded with a malicious link. The PDF files are distributed using emails sent from Proton Mail accounts that pose as organizations or individuals the victim is familiar with.
When a victim clicks on the link, they are redirected to a credential harvesting page. Providing details pertaining to these spear-phishing campaigns, The Citizen Lab has stated that:
“We often observed the attacker omitting to attach a PDF file to the initial message requesting a review of the ‘attached’ file. We believe this was intentional, and intended to increase the credibility of the communication, reduce the risk of detection, and select only for targets that replied to the initial approach (e.g. pointing out the lack of an attachment).”
Proton Mail and Proton Drive have previously been used for cyber attacks by both these threat actors, and such tactics were first recorded in March 2023. Despite the similarities between the two threat actors, COLDWASTREL does deviate from COLDRIVER when it comes to lookalike domains used for malicious purposes.
It’s worth mentioning here that spear-phishing campaigns are an effective technique for threat actors, given that they allow them to maintain global threats while keeping more sophisticated attack tactics shielded from discovery. Cybersecurity experts must comprehend such tactics to develop an effective protection strategy.
Conclusion
These spear-phishing campaigns, attributed to COLDRIVER and COLDWASTREL, demonstrate the evolving tactics of cyber threat actors aligned with Russian interests. By exploiting social engineering and credential harvesting, they pose a significant threat to organizations and individuals opposing Russian policies. In light of such attacks, ensuring the use of proactive security protocols is essential as it can help lower the risk of exposure.
The sources for this piece include articles in The Hacker News and Forbes.