A widespread and highly-personalized spear phishing campaign has been targeting non-governmental organizations, media, individuals, and government personnel in the West and Russia. This campaign, attributed to the Russian Federal Security Service (FSB) through the threat actor COLDRIVER, employs personalized and highly-plausible social engineering tactics to gain access to online accounts.
COLDRIVER Campaign Targeted Russian Dissidents
The targets of this phishing campaign span a range of communities, from prominent Russian opposition figures living in exile to staff at nongovernmental organizations in the U.S. and Europe, as well as funders and media organizations. A common thread is a focus on Russia, Ukraine or Belarus.
Some targets still reside and work within Russia, placing them at considerable risk. The investigators at Citizen Lab as well as its partners have chosen to withhold the names of most targets to protect their privacy and safety.
The investigators found the level of personalization in these communications striking, as the level of intimacy expressed suggested the attackers have a deep understanding of their targets’ work and networks. In some cases, the attackers had followed up with targets who failed to enter their credentials.
One notable target was identified as Polina Machold, the publisher of Proekt Media, a Russian investigative news outlet. The attackers impersonated an individual known to Machold in an attempt to compromise her account. Proekt is known for its high-profile reporting on corruption and abuses of power within the Russian government.
The investigators had also observed targeting of former U.S. officials and academics in the think tank and policy space, such as former U.S. Ambassador to Ukraine Steven Pifer, who was approached by an attacker impersonating a fellow former ambassador.
COLDRIVER Attack Flow
The typical attack flow involves the following steps:
- The threat actor initiates an email exchange with the target, masquerading as someone known to them.
- The target is asked to review a document, often with a PDF file containing a phishing link.
- If the target clicks on the link, their browser fetches JavaScript code from the attacker’s server, which computes a fingerprint of the target’s system and submits it to the server.
- The server may show a CAPTCHA to the user prior to redirecting them to a phishing page designed to look like a legitimate login page for the target’s email service.
- If the target enters their password and two-factor code, the attacker uses the credentials to access the target’s email account.
Extensive Infrastructure and Overlaps
The investigation revealed that the attackers had leveraged a network of first-stage domains, often registered through Hostinger and hosted on shared servers with rotating IP addresses, making the campaign more difficult to track and block.
The malicious PDFs used in this campaign share consistent characteristics, including the formatting and placement of the phishing link, the PDF metadata, and the use of fake English-language author names. These overlaps suggest the use of automated tools or name lists in the generation of these documents.
The investigators shared the following recommendations to protect against this highly-personalized campaign:
- Be cautious of personalized and urgent emails, verify sender information, and use strong passwords and two-factor authentication to protect online accounts.
- Be wary of PDFs with embedded links, especially if they are from unknown senders, and avoid clicking on suspicious links.
- Implement robust security measures, such as email filtering and antivirus software, and regularly update systems and software with the latest security patches.
- Additionally, train employees on phishing awareness and monitor account activity to detect and report any suspicious activity.
