Analysis Summary

Two distinct spear-phishing campaigns have targeted Russian and Belarusian non-profit organizations, Russian independent media, and international NGOs active in Eastern Europe. These attacks are believed to align with Russian government interests and have also targeted Russian opposition figures-in-exile, U.S. think tank officials, academics, and a former U.S. ambassador to Ukraine.

The campaigns were discovered through a joint investigation by researchers, shedding light on the sophisticated and highly tailored nature of the attacks. One campaign, named "River of Phish," has been attributed to the group COLDRIVER which is believed to have ties to Russia's Federal Security Service (FSB). The other, carried out by a previously undocumented threat cluster known as COLDWASTREL remains unattributed but exhibits similar social engineering tactics.

The "River of Phish" campaign primarily uses personalized social engineering techniques to deceive victims into clicking on links embedded in PDF documents. These links redirect victims to a credential harvesting page after fingerprinting the infected hosts to evade automated detection tools. The attackers often use Proton Mail accounts to impersonate familiar organizations or individuals and in some cases, omit the PDF attachment in the initial email to increase the credibility of the communication and select targets who respond to the initial approach.

COLDWASTREL, although similar in its use of Proton Mail and Proton Drive to trick victims differs from COLDRIVER in its use of lookalike domains and variations in PDF content and metadata. These differences suggest a separate threat cluster with distinct operational techniques. The first recorded attacks by COLDWASTREL occurred in March 2023, and while the actor behind it remains unknown the campaign underscores the ongoing evolution of phishing tactics aimed at sensitive targets.

The use of spear-phishing remains a highly effective and low-cost method for global targeting, especially in politically sensitive regions. The campaigns reflect a strategic approach to cyber espionage where the attackers carefully select their targets and employ tailored tactics to minimize the risk of detection while gathering valuable intelligence. Researchers emphasize the importance of vigilance and robust security measures to counter these sophisticated threats.

Impact

• Unauthorized Access
• Cyber Espionage
• Sensitive Data Theft

Indicators of Compromise

Domain Name

• ithostprotocol.com
• xsltweemat.org
• egenre.net
• esestacey.net
• ideaspire.net
• eilatocare.com
• vocabpaper.com
• matalangit.org
• togochecklist.com

MD5

• 17d16dc37316cee56c59b8c0354d61b4
• 6dd202eb311fe32bb24e2a18bbcdaed2
• 0fb222c1cabb24f355d37083afccb613
• 4accd8f1a8ec5e94aeed55de42e1647a
• ae28df80bc4cf717b8b94941d96a900e

SHA-256

• b07d54a178726ffb9f2d5a38e64116cbdc361a1a0248fb89300275986dc5b69d
• 0ded441749c5391234a59d712c9d8375955ebd3d4d5848837b8211c6b27a4e88
• c1fa7cd73a14946fc760a54ebd0c853fab24a080cbf6b8460a949f28801e16fc
• 603221a64f2843674ad968970365f182c228b7219b32ab3777c265804ef67b0a
• df9d77f3e608c92ef899e5acd1d65d87ce2fdb9aab63bbf58e63e6fd6c768ac3

SHA-1

• 7906d66649c12bcb5733ace251674dee865cdbe8
• 2deb15749f47b822caf4eceb49a97ce2b5dc10de
• f17594ec33c1c00c4035be4ee6c52cf24b3fd95b
• 3ca10813f4f5d17cc6d1e1f8c0ebdd0d34a9191e
• 88b393769f349c6d194b3a6a9d370a46a59a4381

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Implement advanced email filtering solutions to detect and block spear-phishing attempts. Use AI-driven tools to identify suspicious email patterns and potential impersonation attempts.
• Enforce MFA across all accounts to add an extra layer of security, making it harder for attackers to access systems even if credentials are compromised.