Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Russian FSB Hackers Behind Espionage Campaign Targeting NGOs

Security Researchers Also Uncovered a New Suspected Russian Threat Group
Russian FSB Hackers Behind Espionage Campaign Targeting NGOs
Peel back the layers and you'll find Russian malware. (Image: Shutterstock)

A Russian hacking group notorious for hack-and-leak operations is behind a recent espionage campaign targeting Russian dissidents and rights groups across the United States and Europe.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Researchers at University of Toronto's The Citizen Lab and digital rights group Access Now said Wednesday that the Federal Security Service hacking group known as Coldriver, Callisto Group and Star Blizzard is targeting figures with connections to Russia, Ukraine or Belarus. Attackers typically closely target victims by masquerading as someone known to them.

Researchers also uncovered what they say is a previously unidentified threat actor targeting similar communities. They dubbed the group Coldwastrel and said its activity "aligns with the interests of the Russian government."

Coldriver has a sustained history of spear-phishing, including a nearly 10-year campaign against British lawmakers in multiple political parties and the leaking of classified documents (see: UK and US Accuse Russian FSB of 'Hack and Leak' Operation). Members of the threat group have been indicted in the U.S. and sanctioned in Europe, Britain and the U.S. A December warning published by English-speaking countries that make up the Five Eyes intelligence alliance warned that the group continues to be active.

The group's latest campaign began with the targets receiving emails that appeared to come from someone familiar, asking them to review a PDF related to their work or a news article. When opened, the document contents appear blurred - supposedly because of encryption - requiring victims to click on a link to "decrypt" it. The link fetches JavaScript code that delivers a fingerprint of the target system to attackers, who decide whether to proceed with the attack. Victims are then shown a fake login screen for their email service, such as Gmail or ProtonMail.

To avoid potential detection, the threat actors hosted their malware infrastructure on a hosting service that rotated IP addresses every 24 hours. Microsoft and Recorded Future last year said that Coldriver began avoiding using themes when registering malicious domains after realizing that researchers could track its infrastructure by spotting patterns (see: Russian Hacking Group Shakes Up Its Infrastructure).

The Coldwastrel campaign identified by researchers is superficially much the same as the Coldriver campaign, but on closer examination the PDFs used as lures and the front-end infrastructure show some key differences. Coldriver attackers make sure the PDF language in their lure documents is set to English while Coldwastrel operators leave it as Russian. The malicious links in the Coldriver campaign are unique to each PDF, while Coldwastrel links are consistent across multiple targets.

Russian intelligence agencies continue to rely on phishing techniques, The Citizen Lab said, for a simple reason: They work. The cost of discovery is low, the rate of success is good, and they avoid "exposing more sophisticated (and expensive) capabilities to discovery."


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.