Recent investigations have uncovered two phishing campaigns with ties to Russia that have been targeting human rights organizations, independent media, and civil society members across Eastern Europe and the United States. These campaigns have been attributed to groups known as Coldriver and a newly identified entity, Coldwastrel.
The modus operandi of these cyber attackers involved sending deceptive emails, seemingly from Proton Mail accounts, that impersonated known organizations or individuals. These emails contained PDF documents that were supposedly locked, with links claiming to unlock them. However, these links led to counterfeit login pages designed to harvest the victims’ credentials, including passwords and two-factor authentication codes.
Access Now, a digital rights nonprofit, and The Citizen Lab’s digital forensic experts have not detected any malware deployment in these attacks, suggesting that the attackers’ primary goal was to gain access to accounts rather than to control devices.
Among the targets were Russian and Belarusian human rights groups, as well as Russian independent media outlets like Proekt, which is recognized for its investigative reporting on human rights abuses, corruption, and oppression. The phishing efforts also targeted a U.S.-based human rights organization and a former U.S. diplomat, Steven Pifer, noted for his work at Stanford’s Center for International Security and Cooperation and his past role as the U.S. ambassador to Ukraine.
While some targets did not interact with the phishing emails, others were misled into submitting their user credentials. The potential damage from such breaches is considerable, especially for Russian and Belarusian organizations and independent media, whose email accounts may contain sensitive information about their operations and personnel.
The campaigns, which spanned from October 2022 to the present, were meticulously crafted to deceive, with emails tailored to the daily experiences and potential scenarios relevant to the individuals or their organizations. The extent of the connection between Coldwastrel and Coldriver remains unclear, but their activities suggest a deep understanding of the regional context and a strategic approach to account infiltration.
Coldriver, in particular, has been observed employing advanced techniques to conceal its activities and has been known to target high-profile figures and entities aligned with NATO. Their activities have been consistent with Russian governmental interests, including a campaign that involved the deployment of malware named Spica.
These findings underscore the ongoing risks posed by spear phishing and similar cyber tactics, which continue to threaten civil society and individuals in positions of influence. The persistence of these threat actors highlights the need for increased vigilance and robust cybersecurity measures.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
