Russia ups the ante: Kremlin-backed hackers launching more sophisticated phishing attacks

#Russia, #Kremlin, #hackers, #phishing, #cybersecurity, #cyberattacks, #socialengineering, #CitizenLab, #AccessNow, #FBI, #Iran, #Trump, #HarrisWalz, #HillaryClinton, #StevenPifer, #PolinaMachold, #VladimirPutin, #RamzanKadyrov, #Coldriver, #FSB, #Coldwastrel, #RussianOpposition, #ProtonMail, #GoogleDrive, #cyberthreats

Russian state-sponsored hackers have intensified their efforts, launching increasingly sophisticated phishing attacks against members of civil society in the US, Europe, and even within Russia.

These attacks, carried out by Russia's intelligence agency, have become more sophisticated, especially in their use of social engineering tactics to impersonate those close to their targets. This information is based on a recent investigation conducted by the Citizen Lab at the University of Toronto and Access Now.

This spike in phishing attempts coincides with a separate FBI inquiry into similar cyberattacks originating from Iran, targeting advisors to both former President Donald Trump and the Harris-Walz campaign.

While state-sponsored hacking is not a new occurrence — Hillary Clinton’s 2016 presidential campaign was famously targeted by Russian-linked hackers — recent efforts by Russian operatives demonstrate a significant rise in both technical proficiency and cunning tactics.

Among those targeted in this recent wave are Steven Pifer, the former US ambassador to Ukraine, and Polina Machold, an exiled Russian publisher renowned for her investigative work on Russian President Vladimir Putin and Chechen leader Ramzan Kadyrov.

In Pifer's situation, the attackers posed as another former US ambassador, someone Pifer was familiar with, leading to what experts described as a “highly believable” exchange. Machold, who has been residing in Germany since her removal from Russia in 2021, faced a similar intricate attack. Initially contacted by someone she had previously collaborated with, she was asked to open a document that was inexplicably missing.

Months later, she received another email from the same person but through a secure Proton Mail account. When she accessed the attached file, it appeared as a legitimate Proton Mail drive and requested her login credentials. Suspicious, Machold contacted the individual, only to discover he had not been emailing her at all.

Advertisement This level of deception highlights the extreme measures these hackers are willing to take to gain access to confidential information. Machold noted that anyone linked to the Russian opposition is at risk, as the attackers strive to gather as much information as possible. The phishing campaigns that targeted Pifer and Machold have been attributed to a threat actor named Coldriver, connected to Russia’s Federal Security Service (FSB).

Another group, known as Coldwastrel, has displayed similar targeting patterns, also focusing on individuals of interest to Russia.

The investigation underlines the vulnerabilities faced by Russian independent media and human rights organizations in exile. Unlike their counterparts in the US, these groups often lack the resources to defend against such advanced attacks, yet the consequences of a security breach could be much more severe, especially for those still within Russia.

These threat actors utilize deceptive phishing tactics that are remarkably successful. They typically initiate communication by pretending to be a known acquaintance, requesting the target to examine a document.

The accompanying PDF file often appears to be encrypted through a service like Proton Drive. It displays a login page that may even have the target's email pre-filled, adding to its deceptive legitimacy.

Once the target submits their credentials and two-factor authentication code, the hackers gain immediate access to their email and any associated online storage, such as Google Drive, potentially exposing a vast amount of sensitive information.

Experts warn that once these attackers obtain login credentials, they act swiftly to extract as much data as possible, posing immediate risks to the safety of individuals, particularly those still in Russia. The implications of these attacks are far-reaching, affecting not only the security of the individuals targeted but also the broader landscape of international cyber threats.

Advertisement