August 16, 2024 at 09:21AM
Two Russia-linked threat actors have been targeting entities critical of Russia through ongoing spear-phishing campaigns since 2023. Phishing emails impersonating Proton email service staff members have been sent to international NGOs, media organizations, Russian opposition figures, and US and European NGOs, posing serious risks to the targets. The attacks involve personalized spear-phishing emails and attempts to capture user credentials.
Based on the meeting notes, it is evident that two Russia-linked threat actors have been conducting extensive spear-phishing campaigns targeting entities perceived as Russia’s enemies. These attacks have been ongoing since the beginning of 2023 and are still active as of August 2024, with various international NGOs being targeted.
The targets include media organizations, Russian opposition figures in exile, staff at NGOs in the US and Europe, funders, former officials, and academics in the US think tank and policy space. The common link between the targets is their focus on Russia, Ukraine, or Belarus.
One of the threat actors, known as Coldriver, is believed to be a subordinate of Russia’s intelligence agency, the Federal Security Service (FSB). It has been active since at least 2015 and is also known by aliases such as BlueCharlie, Callisto, Seaborgium, Star Blizzard, and TA446.
The second threat actor, Coldwastrel, appears to be new to the threat landscape and its targeting aligns with the interests of the Russian government.
The threat actors have been delivering personalized spear-phishing emails to their targets, often impersonating colleagues, funders, and US government employees. The phishing emails instructed the targets to review a PDF attachment, purported to be encrypted using a privacy-focused online service, and displayed blurred text when opened, along with a link to decrypt or access the file.
If the victim clicked on the phishing link, their system was fingerprinted, and for high-risk targets, there was a redirection to a phishing page impersonating their email service. If the victim provided their login credentials, the attackers would use them to access the victim’s account.
While Coldriver did not use malware in these phishing attacks, some of the targeted entities may have been targeted with malware by other threat actors.
In light of these attacks, individuals who believe they might have been targeted with similar phishing attempts are encouraged to improve the security of their email accounts with correct multi-factor authentication settings and to contact Access Now’s Digital Security Helpline for assistance.
Additionally, the meeting notes suggest related articles and news pertaining to US sanctions on Russian hacktivists, disruption of an AI-powered Russian bot farm, and accusations of potential election cyberattacks between the US and Russia.
Please let me know if there’s anything specific you’d like to focus on or any action points that need to be highlighted from these meeting notes.