Russian cyber snoops linked to massive credential-stealing campaign

Russia's Federal Security Service (FSB) cyberspies, joined by a new digital snooping crew, have been conducting a massive online phishing espionage campaign via phishing against targets in the US and Europe over the past two years, according to the University of Toronto's Citizen Lab.

In research published on Wednesday, Citizen Lab attributed the campaign, dubbed River of Phish, to the FSB-backed COLDRIVER (aka Star Blizzard, UNC4057 and Callisto) along with a second group it named COLDWASTREL. 

The campaign began in 2022 with an aim to steal user credentials and 2FA tokens from Russian opposition figures-in-exile and staff at Russian, US, and European-based nongovernmental organizations, as well as media outlets, US think tanks and former government officials.

These are the same targets that COLDRIVER has been targeting in phishing campaigns since at least 2019, and the cyberspies have also repeatedly tried to influence Western elections over the years. 

Also beginning in 2022, COLDRIVER started trying to break into email inboxes and networks belonging to defense-industrial targets and US Department of Energy facilities, according to the Five Eyes nations.

With River of Phish, both groups likely chose their targets based on their "extensive networks among sensitive communities, such as high-risk individuals within Russia," according to Citizen Lab.

The spyware experts also warned that compromising these individuals "could result in extremely serious consequences, such as imprisonment or physical harm to themselves or their contacts."

Plus, the researchers say they suspect that the Russian spies targeted a much larger pool than the civil society organizations that Citizen Lab, working with Access Now and the orgs themselves, investigated.

"We have observed US government personnel impersonated as part of this campaign, and given prior reporting about COLDRIVER's targeting, we expect the US government remains a target," according to the report.

It's also worth noting that Citizen Lab didn't find any spyware — or malware in general — on victims' devices as part of this campaign. 

"The focus on account access simplifies the attack infrastructure that is needed, as the attackers do not need to gain persistence or establish ongoing communications with the target's machine," the researchers wrote. 

However, it's extremely likely that the individuals targeted in River of Phish also face additional threats including spyware, Citizen Lab added. 

• Russia, Iran pose most aggressive threat to 2024 elections, say infoseccers
• Google TAG: Kremlin cyber spies move into malware with a custom backdoor
• Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets
• Reckon Russian spies are lurking in your inbox? Check for these IOCs, Microsoft says

These attacks typically begin with an email exchange from the Russians pretending to be a colleague of the victim or a US government employee, we're told.

The messages ask the recipient to review a document, but the senders also frequently "forget" to attach a PDF. 

"We believe this was intentional, and intended to increase the credibility of the communication, reduce the risk of detection, and select only for targets that replied to the initial approach (e.g. pointing out the lack of an attachment)," the report says.

When the PDF does land in the target's inbox, it purports to be encrypted by ProtonDrive, which is part of the ruse, and then opened displays blurred text with a link to "decrypt" the file.

If the target clicks on the link, then the browser starts communicating with the attacker's server and runs JavaScript code to fingerprint the victim's browser and returns the fingerprint to the server and decides how to proceed — for example, showing a CAPTCHA to the victim before redirecting them to a malicious website.

Citizen Lab surmises this fingerprinting is intended to prevent automated tools from analyzing the second-stage infrastructure that includes the phishing page where the attackers steal the victims' credentials and tokens.

The researchers attribute these attacks to COLDRIVER based on the crew's favored tactics: specifically using spear phishing to target military personnel, government officials, think tanks and the media, and impersonating legitimate websites and email addresses to trick their marks into providing credentials.

Plus, they note, threat analysts at Proofpoint shared publicly available PDFs from VirusTotal that the security shop has attributed to COLDRIVER. And those PDFs indicated "multiple critical overlaps with the River of Phish campaign."

COLDWASTREL swimming in COLDRIVER's streams

However, some of the bait PDFs differed in significant ways from those originating from COLDRIVER campaigns. This included the PDF version and language. COLDRIVER sends its files in English, while the second group wrote in Russian. 

Plus, while COLDRIVER's PDFs purport to come from "plausible-yet-obscure English language names," some of the PDF authors in the campaign were simply "user."

Additionally, COLDRIVER, as it has in previous campaigns, redirected victims to fingerprint, and then to separate domain to steal their credentials. The PDFs believed to come from COLDWASTREL, on the other hand, send victims directly to a website hosting the phishing kit.

"While we are not attributing this campaign, and have only a limited number of targets, we note that the COLDWASTREL targeting that we have observed does appear to align with the interests of the Russian government," Citizen Lab said. ®