A pro-democracy NGO in Russia says it looks like the Kremlin-linked COLDRIVER group was behind last month's hack-and-leak job that saw files and inboxes dumped online.
The Free Russia Foundation began an investigation following Citizen Lab's report last month which highlighted two spearphishing campaigns targeting nonprofits in Russia and Belarus. Preliminary findings cement the suggestion that at least one of these campaigns was orchestrated by COLDRIVER.
"Free Russia Foundation is closely monitoring the illegal dissemination of documents allegedly pertaining to our operations," it said in a statement. "We have launched an investigation to determine the origin, full extent, and nature of this breach and to minimize risks to our staff, partners, and beneficiaries.
"Preliminary findings point to recent phishing attacks by the Kremlin-linked threat group known as COLDRIVER. A number of entities have been compromised, resulting in the theft of their correspondence, including grant reports and internal documents.
"One of the possible goals of this criminal cyber attack is to serve as a pretext to a new wave of repression against pro-democracy Russians."
Citizen Lab said the phishing attacks were highly personalized and often came from compromised accounts at a target organization or from a fake account of a genuine individual known to the victim. The targets of the attack were typically members of NGOs like the Free Russia Foundation.
The emails would often have an attachment that appeared to be a locked PDF file, with the email containing a link to help unlock it. In reality, this link just led to a credential-harvesting page.
Citizen Lab, which examines matters related to digital security and potential threats to human rights, said it's likely that victims' credentials were stolen and used to access their email accounts.
"If successful, such attacks could be enormously harmful, particularly to Russian and Belarusian organizations and independent media, since their email accounts are likely to contain sensitive information about their staff's identities, activities, relationships, and whereabouts," the organization said.
"Any contact between Russian NGOs or independent media with Western-based organizations could be mischaracterized by the Russian government, and used as a pretext to designate them as a 'foreign agent' or 'undesirable organization.' In some cases, this could even lead to individuals being criminally charged and imprisoned."
The Free Russia Foundation said the attack "does not come as a surprise" since this type of activity is consistent with COLDRIVER's modus operandi. Active since 2019, the FSB-linked offensive cyber unit typically targets NGOs, governments, critical infrastructure, and even Western elections.
- Uncle Sam charges Russian GRU cyber-spies behind 'WhisperGate intrusions'
- White House seizes 32 domains, issues criminal charges in massive election-meddling crackdown
- What a coincidence. Spyware makers, Russia's Cozy Bear seem to share same exploits
- Russian cyber snoops linked to massive credential-stealing campaign
This is in addition to smaller-scale acts of political dissidence within Russia, carried out by groups smaller than established organizations, individuals staging solo protests, or those who run anti-war blogs, for example.
COLDRIVER and COLDWASTREL
COLDRIVER is known for its credential-harvesting tricks but a less familiar tactic was recently outed by researchers.
Google's Threat Analysis Group (TAG) revealed in January that COLDRIVER had been dropping a custom backdoor in its attacks since at least 2022.
The malware, dubbed SPICA, comprises a robust list of features including shell command execution, browser cookie-stealing capabilities, and file exfiltration.
A group tracked as COLDWASTREL is thought to be behind the second spearphishing campaign targeting Russian NGOs, but despite similarities in the naming conventions, it has not been conclusively proven to be affiliated with the Kremlin, although it is certainly pro-Russia in its ideology.
Citizen Lab said COLDWASTREL's attacks have been ongoing for years. Several international NGOs said they received the same phishing email linked to the group back in 2022 and one of these organizations was again targeted in August 2024. ®