Russialinked phishing campaigns ensnare civil society and NGOs

pSubscribe to our action alerts and weekly newsletterpp indicates required fieldsppYour info is secure with usppGet the latest analysis issue explainers and community updatesppOur announcements open letters and statementsppFind us engaging media outlets around the worldppRead our expert reports and recommendationsppJoin us in our community events on and offlineppCombating network disruptions during exams and advocating for free and open internet access for allppFighting internet shutdowns around the worldppPutting people first in digital ID systemsppBan Biometric SurveillanceppReclaim Your FaceppKeepItOn for Tigray EthiopiappFreeAlaappFighting the spread and abuse of dangerous spying toolsppRightsbased approaches to online contentppProtecting peoples personal information onlineppFighting to KeepItOn around the worldppWe provide 247 technical support for activists journalists and human rights defenders around the worldppStaying safe online in the context of conflict in GazappInternet shutdowns and elections handbookppDigital safety tips if you are disconnected ppDefending and extending digital rights of people and communities at risk around the worldppWe bring together key stakeholders to catalyze engagementppMeet the experts leading our work around the worldppWe value the diverse perspectives and guidance from our distinguished boardppSupport usppFunding financialsppCareersppLegalppHome Posts Caught on the net Russialinked phishing campaigns ensnare Russian and Belarusian civil society as well as international NGOsppAccess Nows Digital Security Helpline and the Citizen Lab at the Munk School of Global Affairs Public Policy at the University of Toronto the Citizen Lab in collaboration with First Department Arjuna Team and RESIDENTngo have uncovered at least two separate spearphishing campaigns targeting Russian and Belarusian nonprofit organizations Russian independent media international NGOs active in Eastern Europe and at least one former US ambassador The Citizen Lab attributes one of the two campaigns to a known Russian threat group called COLDRIVER with the other likely to be the work of a different previously unnamed actor Access Now and the Citizen Lab have dubbed this second actor COLDWASTREL ppSpear phishing describes a highly personalized way of attacking victims using carefully tailored information that aligns with a targets personal and professional experiences and activities Based on Access Now and the Citizen Labs assessment it is likely that these threat actors or their sponsor organizations are still targeting civil society with spear phishing and other techniques For more details on the Digital Security Helplines investigation read our full technical reportppOur investigation into the first campaign began in March 2023 when Russian human rights organization First Department alerted us to a phishing email received by several international NGOs The sender impersonated a staff member using the Proton Mail platform First Department also reported that the same staff members Proton Mail account had previously been targeted by a phishing attack in October 2022 resulting in them losing access to their account In August 2024 we were again alerted by a previously targeted organization about a new phishing attack on their staff which occurred in August 2024 Our Digital Security Helpline team investigated these cases then reported them to Proton ICANN and other service providers ppWhile investigating the attacks we discovered that an IP address used by the attacker was linked to domains impersonating several prominent civil society organizations active in Eastern Europe We alerted the organizations in question one of which confirmed they had received a similar phishing email but preferred to stay anonymous for privacy and security reasonsppWhile some aspects of the attack indicate that the attacker which we have dubbed COLDWASTREL may be acting in the interests of the Russian regime we cannot confidently attribute the attack to a particular actor at this stage ppIn early 2024 Access Now and the Citizen Lab identified a different cluster of phishing attacks The organizations and individuals targeted in this campaign included Russian and Belarusian civil society organizations and independent media international NGOs and at least one former US ambassador Citizen Lab has attributed this campaign to a Russiabased threat group COLDRIVER also known as among other names STAR BLIZZARD SEABORGIUM and CALLISTO You can read more about COLDRIVER in the Citizen Labs investigation According to several governments this group is a subordinate of the Russian Federal Security Service FSBs Centre 18 ppBelow we describe the pattern of the spearphishing attacks we observed and offer guidance on how you can work to prevent or mitigate such attacksppBoth kinds of attacks were highly tailored to better deceive members of the target organizations The most common attack pattern we observed was an email sent either from a compromised account or from an account appearing similar to the real account of someone the victim may have known The phishing attacks were personalized to show scenarios that the individuals or their organizations might feasibly encounter in their daily work mentioning topics such as event planning or financial discussions ppThe attacks also typically included a seemingly locked PDF attachment sometimes with a link purporting to help unlock the PDFs content but which in fact led to fake login pages aimed at harvesting the targets information ppWhile some targets told us that they did not engage with the phishing emails described in the two attacks others were deceived into entering their user credentialsppEven though we did not directly observe credentials being passed back to the attackers infrastructure it is likely that attackers were able to gain unauthorized access to some victims email accounts ppIf successful such attacks could be enormously harmful particularly to Russian and Belarusian organizations and independent media since their email accounts are likely to contain sensitive information about their staffs identities activities relationships and whereabouts Any contact between Russian NGOs or independent media with Westernbased organizations could be mischaracterized by the Russian government and used as a pretext to designate them as a foreign agent or undesirable organization In some cases this could even lead to individuals being criminally charged and imprisonedppThe following recommendations have been prepared jointly by Access Now and the Citizen LabppUse twofactor authentication correctly Experts agree that setting up twofactor authentication 2FA is one of the most powerful ways to protect your account from getting hacked ppHowever hackers like COLDRIVER and COLDWASTREL may try to trick you into entering your second factor we have seen attackers successfully compromise a victim who had enabled 2FA  People using SMS messaging as their second factor are also at greater risk of having their codes stolen if a bad actor takes over their phone accountppWe recommend that people use more advanced 2FA options such as security keys or if they are Gmail users Google Passkeys Here are three guides for increasing the level of security for your accountppEnroll in programs for highrisk users Google and some other providers offer optional programs for people who because of who they are or what they do may face additional digital risks These programs not only increase the security of your account but also flag to companies that you may face more sophisticated attacks Such programs includeppConsidering online viruschecking sites You may wish to use online virusscanning sites such as VirusTotal or Hybrid Analysis to check suspicious links or files ppThese recommendations address the kind of phishing that COLDRIVER and COLDWASTREL are currently using but there are many other ways you could be targeted Whatever your level of risk we encourage you to get personalized security recommendations from the Security Planner which also maintains a list of emergency resources and advanced security guidesppIf you suspect that you have already been targeted in an attack reach out to a trusted practitioner for advice It is crucial to evaluate any damage to your organization andor to other related organizations and individuals such as partners participants grantees and others If this is the case keep them informed about what has happened what has been leaked how this may impact them and what steps you are taking to mitigate this impact ppIf you believe you have been compromised Access Nows Digital Security Helpline is  available to support members of civil society including activists media organizations journalists and human rights defenders 247 in nine languages including RussianppCrafted by Cornershop CreativeppSubscribe to our action alerts and weekly newsletterpp indicates required fieldsppYour info is secure with usppp