Skip to content

Russian hackers caught snooping media outlets, human rights groups, and former US ambassador

  • by
  • 2 min read

Hackers backed by the Russian government have been targeting individuals involved with Eastern European human rights groups, media outlets, and a former US ambassador to Ukraine. So far, the attacks have come in the form of spear-phishing emails appearing to come from friends or family, at least in the case of Steven Pifer, the targeted former ambassador.

Researchers from The Citizen Lab, in collaboration with digital civil rights group Access Now, discovered the campaign. According to the findings, the campaign involves two hacking groups, COLDRIVER and COLDWASTREL. While COLDRIVER has been associated with FSB, Russia’s security agency, researchers were confident in attributing COLDWASTREL’s actions to Moscow. That said, its interests do align with the Russian government.

The campaign primarily targeted individuals focused on Russia, Belarus, and Ukraine, with some still living and working in Russia. Citizen Labs’ report states that both groups used Protonmail, an end-to-end encrypted email service, to send bogus emails to targets, attempting to lure them to fake login pages. Some targets revealed that they had entered their credentials on such pages as well.

A phishing email sent as part of the campaign. | Source: The Citizen Lab

Although the campaign was technically rather simple, the social engineering side of the attack was rather well done. The emails typically contain text requesting that the recipient review a document relevant to their work, such as grant proposals and article drafts.

Researchers also noticed that most emails did not include the document in question, usually a PDF, in the first message. This is believed to be intentional as the threat actors built trust and reduced chances of getting caught by having a small back-and-forth conversation with the target before.

That said, a few cases seem to use a different method. Attacks also sent an email intended to appear as a document share, with the phishing link directly embedded in the email message. The attackers would follow up with their typical PDF approach if such an attempt failed.

In the News: GitHub Actions flaw exposes sensitive tokens, threatens cloud security

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>