Threat Research

Phishing Tactics Targeting Russia’s Perceived Adversaries Worldwide – The Citizen Lab

Securonix

River of Phish is a sophisticated spear phishing campaign attributed to COLDRIVER (FSB) targeting civil society figures and NGOs across Russia, the West, and worldwide with personalized social engineering and encrypted-PDF lures. A second actor, COLDWASTREL, appears to pursue similar targets, while Citizen Lab shares indicators with email providers to help block these attacks.
#RiverOfPhish #COLDRIVER #COLDWASTREL #FSB #AccessNow #ProektMedia #FirstDepartment #ArjunaTeam #RESIDENT.ngo

Keypoints

  • The “River of Phish” campaign targets civil society organizations and individuals, particularly those connected to Russia, Ukraine, and Belarus.
  • COLDRIVER is linked to the Russian FSB and has been active since at least 2019.
  • Targets include opposition figures, NGO staff, and former officials, with a focus on those with extensive networks.
  • Attackers use personalized emails, often impersonating known contacts, to lure targets into clicking malicious links.
  • The campaign employs fake encrypted PDFs to facilitate credential theft.
  • COLDWASTREL is identified as a separate threat actor targeting similar communities.
  • The Citizen Lab is sharing indicators with email providers to help block these phishing attempts.

MITRE Techniques

  • [T1566] Phishing – Threat actors use spear phishing emails that impersonate known contacts to trick targets into clicking malicious links. “Threat actors use spear phishing emails that impersonate known contacts to trick targets into clicking malicious links.”
  • [T1003] Credential Dumping – Attackers aim to capture user credentials and two-factor authentication tokens through phishing techniques. “Attackers aim to capture user credentials and two-factor authentication tokens through phishing techniques.”
  • [T1078] Targeted Credential Harvesting – Phishing pages are designed to look like legitimate login pages to harvest user credentials. “Phishing pages are designed to look like legitimate login pages to harvest user credentials.”
  • [T1027] Obfuscated Files or Information – JavaScript code is used to fingerprint targets and redirect them to phishing pages. “JavaScript code is used to fingerprint targets and redirect them to phishing pages.”
  • [T1210] Exploitation of Remote Services – Attackers exploit vulnerabilities in webmail services to facilitate credential theft. “Attackers exploit vulnerabilities in webmail services to facilitate credential theft.”

Indicators of Compromise

  • [Domain] First-stage domains – ithostprotocol[.]com, xsltweemat[.]org, eilatocare[.]com, egenre[.]net, esestacey[.]net, ideaspire[.]net, and 1–2 more (first-stage domains used in campaign)
  • [Domain] Phishing infrastructure domains – togochecklist[.]com, vocabpaper[.]com, and 2 more domains (phishing infrastructure overlaps)
  • [SHA256] COLDRIVER PDF hashes – b07d54a178726ffb9f2d5a38e64116cbdc361a1a0248fb89300275986dc5b69d, 0ded441749c5391234a59d712c9d8375955ebd3d4d5848837b8211c6b27a4e88, and 7 more hashes (Appendix)
  • [Domain] ProtonDrive related domains – protondrive[.]online, protondrive[.]me, protondrive[.]services (COLDWASTREL/COLDRIVER usage)
  • [Domain] HubSpot/CRM-related domains – dj-kqf04.eu1.hubspotlinksfree[.]com (used in PDFs), hubspotlinksfree[.]com (HubSpot infrastructure)
  • [SHA256] COLDWASTREL PDF hash – 4a9a2c2926b7b8e388984d38cb9e259fb4060cccc2d291c7910be030ae5301a3

Read more: https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint