Russian hacking campaign targets rights groups, media, former US ambassador
Russian government-connected hackers targeted people working for Eastern European human rights-focused groups, media outlets and a former U.S. ambassador to Ukraine with crafty email spear-phishing lures that appeared to come from acquaintances or family, according to research released Wednesday.
The campaign uncovered by the researchers illustrates the persistence of Kremlin-linked hacking campaigns and the creative methods employed by malicious hackers to compromise their targets.
“Even after being named and shamed, Russian threat actors are bold enough to keep hacking, even as the U.S. heads into elections,” John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, told CyberScoop. “That’s something we should all be really concerned about.”
In the case of the targeted ambassador, Steven Pifer, the malicious email seemed to come from another fellow former U.S. ambassador, according to Citizen Lab’s findings, which conducted the research alongside digital civil rights group Access Now and other collaborators. Pifer served as ambassador to Ukraine from 1998 to 2000, and is now a nonresident senior fellow at the Brookings Institution think tank. He did not immediately answer an email seeking comment Tuesday.
One of the two hacking groups involved, dubbed COLDRIVER, conducted its campaign this year, with fresh emails sent as recently as last week. Traces of hacking by COLDRIVER — also known as Star Blizzard, Callisto Group and other names — date back as far as 2015. Western governments have said the group is affiliated with the Russian security agency FSB.
Another, apparently new group that the organizations dubbed COLDWASTREL conducted its campaign in 2022 and 2023. The researchers noted that the group’s interests align with the Russian government, but they couldn’t “confidently attribute” it to Moscow or anyone else. The targets of the campaigns were those with a focus on Russia, Belarus and Ukraine.
Both groups employed the encrypted email service ProtonMail to attempt to trick its targets into clicking on a PDF leading to fake login pages. Some of the targets said they were deceived into entering their user credentials.
The technology involved in the attack wasn’t sophisticated, said Natalia Krapiva, senior tech legal counsel at Access Now, but that doesn’t mean it wasn’t clever.
What is sophisticated about it is the social engineering side. “It requires really deep knowledge and understanding of the networks, the people, what they do, who they talk to, who are their funders, who are their friends and so on,” Krapiva told CyberScoop.
Said Scott-Railton: “Governments still spear phish if they can do it right. And this operation got a lot right. Until they got caught.”
The Russian government routinely denies any association with hacking campaigns.
One target of the campaign was Polina Machold, publisher of Proekt, an investigative news site reporting on Russian government corruption and abuses that was exiled from the country three years ago. She said was surprised to be targeted earlier this year because of her behind-the-scenes administrative role, rather than journalists who are more frequently targeted.
She told CyberScoop she got an email purportedly from someone she knew at another news organization to discuss a partnership. The email offered a presentation from a new project, but Machold was skeptical given her cybersecurity training and approached Citizen Lab. “It was very well done,” she said.
If compromised, Machold said she was concerned that material stolen from her outlet might be used as part of a potential hack-and-leak operation. It also could’ve led to the hackers using her compromised account in other attacks.
Human rights group First Department, digital security collective Arjuna Team and digital security consultants RESIDENT.ngo collaborated on the investigation of the hacking campaigns.
Dmitry Zair-Bek, who heads First Department, wasn’t surprised to learn his organization was targeted. His group was tipped off to the campaign by a 2022 alert from ProtonMail, which blocked the phony account that contacted them, he said.
“They consider us to be an enemy to them,” Zair-Bek said of the Russian government. “They can easily ban activities they don’t like … and that’s why they might need the information about the social sector.”
Still, he was concerned. “We wanted to learn if anything has already leaked by this attack,” he told CyberScoop. “That was the first thing we wanted to know.”
While “the attack was not that complicated,” Zair-Bek said, “it’s not less effective because you don’t expect any message from your actual colleague.”
The campaign shows that the hackers are upping their game on social engineering, said Rebekah Brown, a senior researcher at Citizen Lab. But it also shows a certain relentlessness.
Russia will target anyone they “view as a threat, regardless of where they are,” she told CyberScoop. And even when they’re called out, “the changes they do are just enough technical changes meant to get around signatures, but they just continue to carry on.”
