A recent investigation by security researchers has revealed that Russia's state security agency is deploying increasingly sophisticated phishing attacks against civil society members in the US, Europe, and Russia. The report, jointly produced by the Citizen Lab at the University of Toronto and Access Now, sheds light on the evolving tactics used by Russian state-sponsored hackers.
Targeting High-Profile Individuals
The attacks have targeted notable figures such as Steven Pifer, former US ambassador to Ukraine, and Polina Machold, an exiled Russian publisher. These individuals were subjected to highly convincing impersonation attempts, with hackers posing as trusted contacts to gain access to sensitive information.
Machold, who now resides in Germany after being expelled from Russia in 2021, described a particularly cunning attempt. She received an email from a supposed colleague, requesting her to review an attached file. When she pointed out the missing attachment, a follow-up email arrived months later using a Proton Mail address - a service commonly used by journalists for secure communication. The attached file, disguised as a Proton Mail drive, prompted for login details, raising suspicions.
Sophisticated Tactics
The report identifies two threat actors: Coldriver, attributed to Russia's Federal Security Service (FSB) by multiple governments, and Coldwastrel, which exhibits similar targeting patterns. Their methods include:
- Impersonating known contacts to initiate email exchanges
- Requesting targets to review seemingly legitimate documents
- Using fake login pages for privacy-focused services like Proton Drive
- Pre-populating login pages with target email addresses for added authenticity
Immediate Risks
Rebekah Brown, a senior researcher at the Citizen Lab, warns of the severe consequences if attackers gain access to email accounts and online storage. "There are immediate risks to life and safety, especially if information concerning people still in Russia is in those accounts," she stated.
Vulnerable Targets
The investigation reveals that Russian independent media and human rights groups in exile face similar advanced phishing attacks as current and former US officials. However, these groups often lack the resources to protect themselves adequately, making the risks of compromise even more severe.
Natalia Krapiva, senior tech legal counsel at Access Now, emphasized the disparity in resources, stating, "Russian independent media and human rights groups in exile face the same type of advanced phishing attacks that target current and former US officials. Yet they have many fewer resources to protect themselves, and the risks of compromise are much more severe."
As state-sponsored hacking campaigns continue to evolve, this report serves as a stark reminder of the ongoing threats faced by civil society members and the need for increased cybersecurity measures.