A hacking group known as Coldriver is behind a series of sophisticated cyberattacks targeting Russia’s perceived enemies, including media companies, non-governmental organizations and a former U.S. ambassador to Ukraine, a new report from Toronto researchers says.
The 26-page report released Wednesday from the University of Toronto’s Citizen Lab, which studies the internet, human rights and security, describes the attacks, the targets and how the researchers were able to link the campaign to Coldriver.
Coldriver’s targets include Proekt Media, an independent Russian news organization known for its investigative reporting into Russian corruption, and Steven Pifer, a senior fellow at American think tank the Brookings Institution who served as the U.S. ambassador to Ukraine from 1998 to 2000. Mr. Pifer was contacted by someone credibly impersonating a fellow U.S. ambassador that he knew, the Citizen Lab report revealed.
The hackers engage with their targets over e-mail by credibly impersonating people they know in an attempt to gain access to their online accounts. There’s no tally of the group’s success rate, but Citizen Lab’s report indicates at least some of the attacks have been successful.
Coldriver is known by several different nicknames, including Star Blizzard and Blue Callisto. The group is believed to conduct cyberattacks on behalf of Russia’s Federal Security Service, or FSB, according to multiple government agencies within the Five Eyes intelligence partnership, which includes Canada, Britain, the U.S., Australia and New Zealand.
A common thread between the targets is a connection to Russia, Ukraine or Belarus, the researchers wrote. Many of the targets that spoke with Citizen Lab and its investigative partner Access Now, a non-profit focused on digital civil rights, chose to remain anonymous to protect their safety and privacy.
The targets are likely chosen because of their connections to sensitive communities. The hackers go after individuals such as Russian opposition figures, or people connected to them. For some targets, being compromised could result in serious consequences such as imprisonment or physical harm, according to the report.
“This investigation shows that Russian independent media and human-rights groups in exile face the same type of advanced phishing attacks that target current and former U.S. officials, yet they have many fewer resources to protect themselves, and the risks of compromise are much more severe,” said Natalia Krapiva, senior tech legal counsel at Access Now.
The researchers also outlined how, with the help of Access Now, they identified what they believe to be a separate hacking group they call Coldwastrel, whose interests also align with those of Russian security services.
Ms. Krapiva said she doesn’t believe that this entity has ever been publicly identified before. “We do think it is a separate entity that’s most likely Russia affiliated,” Ms. Krapiva said.
However, it’s also possible that an existing hacker group has merely switched up its tactics, said Rebekah Brown, a senior researcher at the Citizen Lab.
Ms. Brown said it’s notable that while Coldriver’s activities have been widely reported in recent years, the group has continued to aggressively target those who Russia perceives as a threat.
What also stood out about the attacks, according to Ms. Brown, is their sophistication and the level of research that the attackers conduct on their targets.
“They know who these people talk to. They know what events they attend. They know what subjects are interesting to them or what things they might actively be working on at the moment. These messages they send look very, very real,” Ms. Brown said.
The attacks, which the researchers have dubbed the River of Phish campaign, employ a highly targeted technique known as spear phishing.
The hackers contact their targets by e-mail, masquerading as colleagues, funders or government officials asking them to review a document relevant to their work, such as a grant proposal or the draft of an article.
The messages are so personalized and believable that multiple targets believed they were communicating with the person that the hacker was impersonating, the report said.
When the attached PDF file is opened, it displays what appears to be blurred text with a link to “decrypt” or access the file. If the target clicks on the link, they are taken to a fake login page for their e-mail service (for instance, Gmail or Proton Mail), compelling them to enter their credentials, which are then sent to the hacker.