A Russian state-sponsored spear phishing campaign has been found to be targeting Western and Russian civil society targets, including nongovernmental organizations, independent media and at least one former U.S. ambassador.
The campaign, detailed Wednesday by Citizen Lab and dubbed “River of Phish,” engaged targets with personalized and highly plausible social engineering in an attempt to gain access to their online accounts. The campaign is believed to be run by the Coldriver group, which Western governments believe is linked to the Russian Federal Security Service.
The targets have included Russian opposition figures in exile to staff at nongovernmental organizations in the U.S. and Europe, funders and media organizations. Among the targets was Polina Machold, the publisher of a media out that conducts high-profile investigative reporting into official corruption and abuses of power in Russia.
Citizen Lab also observed the group targeting former officials and academics in U.S. think tanks and policy organizations. Among them was former U.S. Ambassador to Ukraine Steven Pifer, who was targeted with a highly credible approach impersonating someone known to him — a fellow former U.S. ambassador.
Though certain targeted groups and individuals have been identified, Citizen Labs notes that they suspect the total pool of targets is likely much larger than the civil society groups it has analyzed. Notably, the Russian group was also found to be impersonating U.S. government personnel as part of its campaign, meaning that there could be further compromises within the U.S. government.
“Cybercriminals target anyone with an email address, but targeting high-profile people in government is a win for them,” James McQuiggan, security awareness advocate at KnowBe4 Inc., told SiliconANGLE. “Gaining access to a system that is within the government can be the stepping stone to a much larger payoff” as the attackers “can leverage the victim’s system to access other systems with the government infrastructure to then be able to collect data or maintain persistence for future access, which could lead to an attack or possible ransomware outcome.”
“Email should be treated with skepticism,” McQuiggan added, “If it’s not expected or the sender is unknown, like answering the front door of your home and seeing a package that wasn’t ordered, it should be met with skepticism and verify the sender or the contents of the email.”