Russia’s state security agency is launching increasingly sophisticated phishing attacks against US, European and Russian civil society members, in some cases by impersonating individuals who are personally close to the targets of the attacks, according to a new investigation by security researchers.
A new report by the Citizen Lab at the University of Toronto and Access Now comes as the FBI has separately launched an investigation into suspected hacking attempts by Iran targeting an adviser to Donald Trump and advisers to the Harris-Walz campaign.
State-sponsored hacking campaigns – including ones that seek to influence political campaigns – are not new: Hillary Clinton was targeted by hackers linked to the Russian government in the months before her unsuccessful presidential bid in 2016.
But researchers say attacks linked to the Russian state are becoming more sophisticated, in both social engineering strategies and technical aspects.
The targets of the recent spate of attempted attacks have included the former US ambassador to Ukraine Steven Pifer, and Polina Machold, the exiled Russian publisher whose news organization, Proekt Media, had conducted high-profile investigations into the Russian president, Vladimir Putin, and the Chechen leader, Ramzan Kadyrov.
In Pifer’s case, researchers said he was targeted following a “highly credible” exchange involving someone impersonating another former US ambassador who Pifer knew.
Machold’s case similarly followed a more sophisticated method of attack. The publisher, who lives in Germany after being expelled from Russia in the summer of 2021, was first contacted in November 2023 by email by a counterpart at another publisher who she had worked with previously. He asked her to look at an attached file, but there was no attachment. She responded that it was missing. A few months later, he contacted her again, this time using a handle on Proton Mail, a free and secure email service commonly used by journalists. Alarm bells started to ring, she said, when an attachment on that email, which she opened and appeared to resemble a Proton Mail drive, required login details. She called the contact, who said – with shock – that he had not been emailing her.
“I had not seen anything like this before. They knew I had contacts with this person. I didn’t have a clue even though I consider myself to be on high alert,” Machold said.
Machold said it was clear that anyone connected to the Russian opposition could be a target. “They need as much information as they can get,” she said.
Researchers said that the phishing campaign that targeted Machold and Pifer was executed by a threat actor they called Coldriver, and has been attributed to Russia’s Federal Security Service (FSB) by multiple governments. A second threat actor, called Coldwastrel, had a similar targeting pattern, and also seemed focused on targets that would be of interest to Russia.
“This investigation shows that Russian independent media and human rights groups in exile face the same type of advanced phishing attacks that target current and former US officials. Yet they have many fewer resources to protect themselves, and the risks of compromise are much more severe,” said Natalia Krapiva, senior tech legal counsel at Access Now.
Almost all of the targets who spoke to the researchers remained anonymous for their own safety, but were described as prominent Russian opposition figures in exile, non-governmental staff in the US and Europe, funders and media organizations. One thing most targets have in common, researchers said, was their “extensive networks among sensitive communities”.
The most common tactic observed involved the threat actor initiating an email exchange with a target masquerading a person the target knows; requesting the target review a document. An attached PDF typically purports to be encrypted using a privacy-focused service like Proton Drive, and a login page may even be pre-populated with the target’s email address, making it look legitimate. If the target enters their password and a two-factor code, the threat attacker can then get information sent back to them, which in turn gives them access to the target’s email account.
“As soon as these attackers get credentials, we think they will work immediately to access email accounts and any online storage, like Google Drive, to pull as much sensitive information as they can. There are immediate risks to life and safety, especially if information concerning people still in Russia is in those accounts,” said Rebekah Brown, a senior researcher at the Citizen Lab.