In collaboration with Access Now and other civil society organizations, Citizen Lab exposed a sophisticated attack dubbed as “Rivers of Phishing,” a new phishing campaign that attacks Russia’s enemies globally.
The fact-finding efforts revealed that their coordinated spear-phishing targeted particular individuals across multiple countries and sectors of civil society.
The threat actor adopted advanced digital targeting techniques to compromise the security of the activists, journalists, and human rights defenders.
Easily analyze emerging malware with ANY.RUN interactive online sandbox - Try 14 Days Free Trial
Technical Analysis
COLDRIVER, also known as Star Blizzard and TA446, is a Russian FSB-supported group responsible for a well-designed phishing campaign called “River of Phish” which targets opposition figures, journalists, NGOs, academicians, and policymakers interested in Russia, Ukraine, and Belarus.
Attackers use highly personalized emails pretending to be familiar contacts as bait, and malware is often encrypted in the form of PDF files.
These contain links to phishing sites that steal login credentials and bypass two-factor authentication systems. In addition, PDFs usually have similar metadata structures and English author names.
.webp "Rivers Of Phish - New Phishing Campaign Attacks Russia Enemies Globally 2")
The infrastructure of this campaign relies on Hostinger-registered domains that have JavaScript enabled for target fingerprinting in the first-stage domains.
“If the target clicks on the link, their browser will fetch JavaScript code from the attacker’s server that computes a fingerprint of the target’s system and submits it to the server”
Victims include prominent figures like Polina Machold of Proekt Media and former US Ambassador Steven Pifer.
The campaign is a demonstration of the changing techniques being used to avoid being seen on the internet, like shifting from Namecheap to Hostinger for domain registration.
Another campaign with similar operations but called COLDWASTREL has been identified as well, this one uses different PDF characteristics and the infrastructure shows a complicated environment to involve Russian cyber espionage activities.
This behavior is consistent with wider Russian state objectives and poses a severe danger for victims, especially those on the territory of Russia.
Despite having advanced capabilities, state-sponsored threat actors such as Russia’s FSB depend on personalized phishing since it is cost-effective and has a high success rate.
Such campaigns employ comprehensive intelligence gathering to develop highly believable lures with an interplay where every successful compromise provides information for future attacks.
This persistence reflects the risk-taking position of COLDRIVER through its operations possibly due to state sponsorship.
In many cases, these campaigns focus on civil society in addition to government and industry sectors that are often ignored by cybersecurity reporting.
Due to the complex nature of the Russian Cyber Espionage, different agencies are involved in this sphere like SVR, GRU, and FSB sometimes working together or competing with each other as well as sometimes even collaborating with threat actors.
Apart from phishing, Russian-affiliated actors use various digital hostile tactics against civil society like censorship, stalking campaigns, account hijacking, and advanced social engineering methods.
This multi-dimensional strategy is incredibly dangerous for activists, journalists, and NGOs mainly evictions or those who work on Russian issues, this shows how important it is to understand and protect these vulnerable targets.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Recommendations
Here below we have mentioned all the recommendations:-
- Use two-factor authentication.
- Enroll in programs for high-risk users.
- Do not click any suspicious links received in the email from an unknown sender.
- Beware of “encrypted” or “protected” PDFs.
- Always use robust security solutions.
- Use complex passwords and also make sure to change them often.
Indicators of Compromise
COLDRIVER PDF Hashes
| b07d54a178726ffb9f2d5a38e64116cbdc361a1a0248fb89300275986dc5b69d |
| 0ded441749c5391234a59d712c9d8375955ebd3d4d5848837b8211c6b27a4e88 |
| efa2fd8f8808164d6986aedd6c8b45bb83edd70ca4e80d7ff563a3fbc05eab89 |
| c1fa7cd73a14946fc760a54ebd0c853fab24a080cbf6b8460a949f28801e16fc |
| 603221a64f2843674ad968970365f182c228b7219b32ab3777c265804ef67b0a |
| df9d77f3e608c92ef899e5acd1d65d87ce2fdb9aab63bbf58e63e6fd6c768ac3 |
| 384d3027d92c13da55ceef9a375e8887d908fd54013f49167946e1791730ba22 |
| 79f93e57ad6be28aae62d14135140289f09f86d3a093551bd234adc0021bb827 |
| 00664f72386b256d74176aacbe6d1d6f6dd515dd4b2fcb955f5e0f6f92fa078e |