Russian spy agencies are using deep knowledge about foreign and domestic opponents, reporters and human rights groups to target them with well-crafted phishing attacks, in some cases successfully, according to the groups and security researchers.
Reports published Wednesday by digital rights group Access Now and Canadian research nonprofit Citizen Lab include samples of the emails sent during the past two years to targets such as Russian rights organization First Department, which represents Russians accused of treason or espionage.
While the FSB and other Russian services have used similar tactics before, the new research shows that they have altered their techniques to avoid immediate detection and that they don’t mind being identified later, according to Citizen Lab.
As Russian government agencies are capable of far more sophisticated hacking, the persistence of phishing underscores its effectiveness, especially when fueled by impersonation and deep knowledge of the target’s contacts and expectations.
First Department head Dmitry Zair-Bek told The Washington Post that his group was the first, in the fall of 2022, to be targeted by one of the two phishing campaigns disclosed Wednesday. An email that appeared to come from a colleague included a pdf-format electronic document. A link inside that opened a fake log-in page for Proton Drive, which is affiliated with the privacy-protecting Proton Mail email service. Zair-Bek declined to say whether the attack succeeded, but First Department joined in the investigation.
“We know they tried to impersonate us in other attacks,” he said.
The attack disclosed this week on former president Donald Trump’s campaign likewise made use of a compromised email account of a trusted outsider, Roger Stone, people familiar with the matter told The Post.
The researchers attributed one phishing campaign to a group known as ColdRiver and other names. Multiple governments have said the group works for the FSB, Russia’s Federal Security Service, which operates worldwide. The research groups are calling the operators of the second campaign ColdWastrel, which they believe is working for another Russian agency.
Citizen Lab said it was sharing technical evidence from the campaigns with email providers in hopes that they will block future phishing attempts.
Also targeted was news organization Proekt Media, which has published investigative reports on corruption among powerful Russian officials. “The hackers impersonated a colleague of mine from another media organization, and that’s basically why I fell for it the first time,” one of Proekt workers said by encrypted message. The person exchanged emails with the hacker but stopped at the fake log-in page.
A phishing email was also sent to Steven Pifer, a former U.S. ambassador to Ukraine, and appeared to come from another former ambassador.
“We judge that these targets may have been selected for their extensive networks among sensitive communities, such as high-risk individuals within Russia. For some, successful compromise could result in extremely serious consequences, such as imprisonment or physical harm to themselves or their contacts,” Citizen Lab wrote.