Russia ups the ante: Kremlin-backed hackers launching more sophisticated phishing attacks

Russian state-sponsored hackers have escalated their efforts, launching increasingly sophisticated phishing attacks against members of civil society in the US, Europe, and even within Russia.

These attacks, backed by Russia’s state security agency, have become more advanced, particularly in how they manipulate social engineering tactics to impersonate individuals close to their targets. This information comes from a recent investigation conducted by the Citizen Lab at the University of Toronto and Access Now.

This surge in phishing activities coincides with a separate investigation by the FBI into similar hacking attempts, but originating from Iran, targeting advisors to both former President Donald Trump and the Harris-Walz campaign.

Although state-sponsored hacking is not a new phenomenon — Hillary Clinton’s 2016 presidential campaign was notably targeted by Russian-linked hackers — the recent efforts by Russian operatives demonstrate a marked increase in both technical sophistication and cunning strategies.

Among those targeted in this latest wave are Steven Pifer, the former US ambassador to Ukraine, and Polina Machold, an exiled Russian publisher known for her investigative work on Russian President Vladimir Putin and Chechen leader Ramzan Kadyrov.

In Pifer’s case, the attackers impersonated another former US ambassador, someone Pifer knew well, leading to what researchers described as a “highly credible” interaction. Machold, who has been living in Germany since her expulsion from Russia in 2021, faced a similarly complex attack. Initially contacted by someone she had previously worked with, she was asked to open an attachment that was mysteriously missing.

Months later, she received another email from the same person but through a secure Proton Mail account. When she opened the attached file, it appeared as a legitimate Proton Mail drive and requested her login details. Suspicious, Machold contacted the individual, only to find out he had not been emailing her at all.

This level of deception highlights the lengths to which these hackers will go to gain access to sensitive information. Machold noted that anyone connected to the Russian opposition is at risk, as the attackers seek to gather as much information as possible. The phishing campaigns that targeted Pifer and Machold have been attributed to a threat actor named Coldriver, linked to Russia’s Federal Security Service (FSB).

Another group, known as Coldwastrel, has exhibited similar targeting patterns, also focusing on individuals of interest to Russia.

The investigation underscores the vulnerabilities faced by Russian independent media and human rights groups in exile. Unlike their counterparts in the US, these groups often lack the resources to defend against such advanced attacks, yet the consequences of a security breach could be far more severe, particularly for those still within Russia.

The phishing tactics employed by these threat actors are disturbingly effective. The attackers typically initiate contact by pretending to be someone the target knows, requesting them to review a document.

The attached PDF often appears to be encrypted through a service like Proton Drive, with a login page that might even be pre-filled with the target’s email, making it seem legitimate.

Once the target enters their credentials and two-factor authentication code, the hackers gain immediate access to their email and any associated online storage, such as Google Drive, potentially exposing a wealth of sensitive information.

Experts warn that once these attackers obtain login credentials, they move quickly to extract as much data as possible, posing immediate risks to the safety of individuals, particularly those still in Russia. The implications of these attacks are profound, not only for the security of the individuals targeted but also for the broader landscape of international cyber threats.