Investigation warns of a new wave of Russian cyberattacks
Hackers, allegedly backed by Russia's state security agency, have reportedly intensified their cyber activities. They are now launching more advanced phishing attacks against civil society members in the US, Europe, and even within Russia. These details come from an investigation conducted by the Citizen Lab at the University of Toronto and the non-profit Access Now. The new wave of attacks demonstrates an increased level of technical sophistication and strategic cunning.
Hackers impersonate close associates to target victims
The hackers have refined their social engineering tactics, now impersonating individuals close to their targets. This strategy was evident in the cases of Steven Pifer, former US ambassador to Ukraine, and Polina Machold, an exiled Russian publisher known for her investigative work on Russian President Vladimir Putin and Chechen leader Ramzan Kadyrov. In both instances, the attackers posed as familiar figures to initiate "highly credible" interactions with their targets.
Machold's case: A complex phishing attack
Machold, living in Germany since her expulsion from Russia back in 2021, was targeted through a complex phishing attack. She was initially contacted by a former colleague who asked her to open an attachment that was mysteriously missing. Machold received another email from the same person months later, but through a secure Proton Mail account. Upon opening the attached file, it appeared as a legitimate Proton Mail drive and asked for her login details.
Hackers are running phishing campaigns to gathering sensitive information
The investigation revealed that these hackers are primarily interested in gathering sensitive information. The phishing campaigns targeting Pifer and Machold have been attributed to a threat actor named Coldriver, linked to Russia's Federal Security Service (FSB). Another group, Coldwastrel, has exhibited similar targeting patterns. These findings highlight the significant threats faced by Russia's independent media and human rights groups in exile who often lack resources to defend against such advanced attacks.
A closer look at the phishing tactic
The hackers usually initiate contact by pretending to be someone the target knows. They further ask the target to review a PDF document. The attached file often appears encrypted through a service such as Proton Drive, with a login page that is sometimes pre-filled with the target's email, making it seem legitimate. Once the target enters their details and two-factor authentication code, the attackers gain immediate access to their email and any associated online storage.