Russia-Associated Phishing Campaigns Target Civil Society and NGOs

Short Summary:

Access Now and the Citizen Lab have identified two spear-phishing campaigns targeting Russian and Belarusian nonprofit organizations, independent media, and international NGOs. One campaign is attributed to the Russian threat group COLDRIVER, while the second is linked to an unnamed actor dubbed COLDWASTREL. The attacks are characterized by personalized phishing emails designed to deceive victims into providing sensitive information.

Key Points:

• Two spear-phishing campaigns targeting civil society organizations in Eastern Europe.
• COLDRIVER is a known Russian threat group responsible for one of the campaigns.
• The second campaign is attributed to an unnamed actor called COLDWASTREL.
• Phishing emails were highly personalized, often impersonating known contacts.
• Attackers used compromised accounts or lookalike emails to deceive victims.
• Phishing attempts included locked PDF attachments and fake login pages.
• Victims risk unauthorized access to sensitive information and potential legal repercussions.
• Recommendations for protection include using two-factor authentication and verifying suspicious emails.

MITRE ATT&CK TTPs – created by AI

• Phishing – T1566
  • Procedures:
    • Highly personalized emails targeting specific individuals or organizations.
    • Use of compromised accounts or lookalike email addresses to deceive victims.
    • Inclusion of malicious PDF attachments and links to fake login pages.
• Credential Dumping – T1003
  • Procedures:
    • Harvesting user credentials through phishing attacks.
    • Potential unauthorized access to victims’ email accounts.

Access Now’s Digital Security Helpline and the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto (“the Citizen Lab”), in collaboration with First Department, Arjuna Team, and RESIDENT.ngo, have uncovered at least two separate spear-phishing campaigns targeting Russian and Belarusian nonprofit organizations, Russian independent media, international NGOs active in Eastern Europe, and at least one former U.S. ambassador. The Citizen Lab attributes one of the two campaigns to a known Russian threat group called COLDRIVER, with the other likely to be the work of a different, previously unnamed actor. Access Now and the Citizen Lab have dubbed this second actor “COLDWASTREL.” 

Spear phishing describes a highly personalized way of attacking victims, using carefully tailored information that aligns with a target’s personal and professional experiences and activities. Based on Access Now and the Citizen Lab’s assessment, it is likely that these threat actors or their sponsor organizations are still targeting civil society with spear phishing and other techniques. For more details on the Digital Security Helpline’s investigation, read our full technical report.

// About COLDWASTREL

Our investigation into the first campaign began in March 2023, when Russian human rights organization First Department alerted us to a phishing email received by several international NGOs. The sender impersonated a staff member using the Proton Mail platform. First Department also reported that the same staff member’s Proton Mail account had previously been targeted by a phishing attack in October 2022, resulting in them losing access to their account. In August 2024, we were again alerted by a previously targeted organization about a new phishing attack on their staff, which occurred in August 2024. Our Digital Security Helpline team investigated these cases, then reported them to Proton, ICANN, and other service providers. 

While investigating the attacks, we discovered that an IP address used by the attacker was linked to domains impersonating several prominent civil society organizations active in Eastern Europe. We alerted the organizations in question, one of which confirmed they had received a similar phishing email, but preferred to stay anonymous for privacy and security reasons.

While some aspects of the attack indicate that the attacker, which we have dubbed “COLDWASTREL,” may be acting in the interests of the Russian regime, we cannot confidently attribute the attack to a particular actor at this stage. 

// About COLDRIVER

In early 2024, Access Now and the Citizen Lab identified a different cluster of phishing attacks. The organizations and individuals targeted in this campaign included Russian and Belarusian civil society organizations and independent media, international NGOs, and at least one former US ambassador. Citizen Lab has attributed this campaign to a Russia-based threat group COLDRIVER, also known as, among other names, STAR BLIZZARD, SEABORGIUM, and CALLISTO. You can read more about COLDRIVER in the Citizen Lab’s investigation. According to several governments, this group is a subordinate of the Russian Federal Security Service (FSB)’s Centre 18. 

// How the attacks were carried out

Below, we describe the pattern of the spear-phishing attacks we observed and offer guidance on how you can work to prevent or mitigate such attacks.

Both kinds of attacks were highly tailored to better deceive members of the target organizations. The most common attack pattern we observed was an email sent either from a compromised account or from an account appearing similar to the real account of someone the victim may have known. The phishing attacks were personalized to show scenarios that the individuals or their organizations might feasibly encounter in their daily work, mentioning topics such as event planning or financial discussions. 

The attacks also typically included a seemingly locked PDF attachment, sometimes with a link purporting to help “unlock” the PDF’s content, but which in fact led to fake login pages aimed at harvesting the target’s information. 

// The impact of the attacks

While some targets told us that they did not engage with the phishing emails described in the two attacks, others were deceived into entering their user credentials.

Even though we did not directly observe credentials being passed back to the attacker’s infrastructure, it is likely that attackers were able to gain unauthorized access to some victims’ email accounts. 

If successful, such attacks could be enormously harmful, particularly to Russian and Belarusian organizations and independent media, since their email accounts are likely to contain sensitive information about their staff’s identities, activities, relationships, and whereabouts. Any contact between Russian NGOs or independent media with Western-based organizations could be mischaracterized by the Russian government, and used as a pretext to designate them as a “foreign agent” or “undesirable organization.” In some cases, this could even lead to individuals being criminally charged and imprisoned.

// How to protect yourself if you suspect you are being targeted

The following recommendations have been prepared jointly by Access Now and the Citizen Lab.

Start with prevention

Use two-factor authentication, correctly: Experts agree that setting up two-factor authentication (2FA) is one of the most powerful ways to protect your account from getting hacked. 

However, hackers like COLDRIVER and COLDWASTREL may try to trick you into entering your second factor; we have seen attackers successfully compromise a victim who had enabled 2FA.  People using SMS messaging as their second factor are also at greater risk of having their codes stolen if a bad actor takes over their phone account.

We recommend that people use more advanced 2FA options such as security keys or, if they are Gmail users, Google Passkeys. Here are three guides for increasing the level of security for your account:

Enroll in programs for high-risk users. Google and some other providers offer optional programs for people who, because of who they are or what they do, may face additional digital risks. These programs not only increase the security of your account, but also flag to companies that you may face more sophisticated attacks. Such programs include:

Received a message? Be a five-second detective

• Step one: check your inbox for the sender’s email. Ask yourself if you have received messages from this account before. COLDRIVER often uses lookalike emails to impersonate people known to the target either personally or professionally, so you may see an email that appears to come from someone you know, writing about something you would expect them to write about. Even if you have received previous messages from the same email address, it is possible to “spoof” a familiar looking email address, so move on to the next step.
• Step two: check with the sender over a different medium. If you have any concerns or are at all suspicious, do not open any PDF attachment or click on any link sent in the email. Instead, check directly with the purported sender, via another service, to confirm whether or not they’ve reached out to you. If you don’t already have direct contact with them, consider asking someone you trust to inquire on your behalf.
• Step three: don’t just click. Always consult an expert before opening a document you are unsure about. If you want to view a document that you think is probably safe, but want to take care, open the file within your webmail. Google, Microsoft, and others open the files on their computers and display the contents to you. This protects you from malicious code embedded in a document. But it will not prevent you from clicking on potentially malicious links inside the document. 
  • If you are viewing an attached document inside your webmail, you should remain careful. Don’t just click on any links; copy and paste them into your browser before visiting. Examine the domain carefully: Is it what you would expect for the site you expect to be visiting? Advanced phishing kits are very good at impersonating popular services, and often the only visual clue that it is not the authentic site will be in the address bar of the browser. 
  • If you see a “login page” pop up, stop. This is a good time to consult a trusted expert.
• Step four: beware of “encrypted” or “protected” PDFs. This kind of message is almost always a cause for concern. Legitimately encrypted PDFs almost never include a single “click here” button inside the PDF, and they don’t show a blurred version of the contents. Never click on any “login” links or “buttons” inside a PDF you have been sent.  

Considering online virus-checking sites? You may wish to use online virus-scanning sites such as VirusTotal or Hybrid Analysis to check suspicious links or files. 

• These services offer a useful service and can be part of a good security practice, but they come with a very important caveat: when you use such free services, you are not the customer, you are the product. Your files are available to many researchers, companies, and governments. 
• We do not recommend using such tools to check “sensitive” files that may contain personal information or other private topics. Instead, contact a trusted expert that can help.

Think you are being targeted? 

These recommendations address the kind of phishing that COLDRIVER and COLDWASTREL are currently using, but there are many other ways you could be targeted. Whatever your level of risk, we encourage you to get personalized security recommendations from the Security Planner, which also maintains a list of emergency resources and advanced security guides.

If you suspect that you have already been targeted in an attack, reach out to a trusted practitioner for advice. It is crucial to evaluate any damage to your organization and/or to other related organizations and individuals, such as partners, participants, grantees, and others. If this is the case, keep them informed about what has happened, what has been leaked, how this may impact them, and what steps you are taking to mitigate this impact. 

If you believe you have been compromised: Access Now’s Digital Security Helpline is  available to support members of civil society, including activists, media organizations, journalists, and human rights defenders, 24/7 in nine languages, including Russian.

Source: https://www.accessnow.org/russian-phishing-campaigns/