A sophisticated and prolonged phishing campaign has been targeting journalists, human rights defenders, opposition figures, and American diplomats for over 18 months, with one of the participating groups linked to Russia's Federal Security Service (FSB), according to an investigation conducted by Citizen Lab in cooperation with Access Now and multiple civil society organizations.
The attack has affected more than 10 known targets, including an independent Russian investigative outlet, the legal defense organization First Department, and former US Ambassador to Ukraine, Steven Pifer. However, cybersecurity experts believe the actual number of targets could be significantly higher.
The campaign is being executed by two distinct groups, with one of them, known as Coldriver (also referred to as Star Blizzard or Callisto), directly connected to the FSB. The second group, identified as Coldwastrel, displays different tactics and techniques, suggesting it is a separate threat group. It’s not currently clear what Russian intelligence agencies the threat actor is affiliated with.
The spear-phishing operation has been employing personalized and credible social engineering tactics to deceive targets into revealing their online credentials. The attackers have impersonated trusted contacts of the targets, such as colleagues, funders, and government officials, making the phishing attempts highly convincing. In one case, Steven Pifer was targeted by an email that appeared to be from a fellow former US Ambassador, requesting him to review a document.
The phishing emails often contain a PDF attachment that appears to be encrypted or protected, luring the recipient to click on a link to “decrypt” the file. This link typically redirects the victim to a fake login page, where their credentials are harvested.
The attackers have demonstrated a deep understanding of their targets, frequently following up on initial phishing attempts with additional messages to reinforce the deception. In some instances, they have even engaged in prolonged email exchanges with the targets to seem more credible.
“The attackers typically register the domains and host the websites using Hostinger. Domains registered with Hostinger are hosted on shared servers which rotate IP addresses approximately every 24 hours, making the campaign more difficult to track,” the report said. “We did not identify any cases where a domain was operationally used within 30 days of its registration. This is a possible attempt to avoid being blocked by detection rules aimed at flagging emails or attachments with hyperlinks containing a recently registered domain.”
The researchers said they weren’t able to observe the second stage of the attack or credentials being passed to the attackers server. However, they believe that the threat actor a tool designed to capture user credentials and enable unauthorized access, such as Evilginx or another phishing platform. Coldriver has been previously observed using Evilginx in its recent campaigns.
At the beginning of the year, Coldriver was seen using a custom backdoor called ‘SPICA’ in targeted campaigns against Western officials.