Russia’s state security agency is launching increasingly sophisticated phishing attacks against members of American, European and Russian civil society, in some cases posing as individuals personally close to the targets of the attacks, according to new research by security researchers.
A new report from the Citizen Lab at the University of Toronto and Access now The announcement comes as the FBI has separately launched an investigation into alleged hacking attempts by Iran targeting a Donald Trump adviser and aides to the Harris-Walz campaign.
State-sponsored hacking campaigns, including those seeking to influence political campaigns, are not new: Hillary Clinton was targeted by hackers linked to the Russian government in the months leading up to her failed 2016 presidential bid.
But researchers say attacks linked to the Russian state are becoming more sophisticated, both in terms of social engineering strategies and technical aspects.
Targets in the recent series of attempted attacks include former U.S. ambassador to Ukraine Steven Pifer and Polina Machold, the exiled Russian editor whose news organization, Proekt Media, had conducted high-profile investigations into Russian President Vladimir Putin and Chechen leader Ramzan Kadyrov.
In Pifer’s case, investigators said he was targeted after a “highly credible” exchange involving someone posing as another former U.S. ambassador Pifer knew.
The Machold case also followed a more sophisticated method of attack. The editor, who lives in Germany after being expelled from Russia in the summer of 2021, was first contacted in November 2023 by email by a counterpart at another publisher she had previously worked with. He asked her to look at an attachment, but there was no attachment. She replied that it was missing. A few months later, he contacted her again, this time using a username on Protonmail, a free and secure email service often used by journalists. Alarm bells started ringing, she said, when an attachment in that email, which she opened and which looked like a Protonmail drive, asked for login details. She called the contact, who told her, surprised, that he had not been emailing her.
“I had never seen anything like this before. They knew I had contacts with that person. I had no idea, although I consider myself to be on high alert,” Machold said.
Machold said it was clear that anyone connected to the Russian opposition could be a target. “They need all the information they can get,” he said.
Researchers said the phishing campaign targeting Machold and Pifer was executed by a threat actor they called Coldriver, which several governments attributed to Russia’s Federal Security Service (FSB). A second threat actor, called Coldwastrel, had a similar attack pattern and also appeared to be focused on targets that would be of interest to Russia.
“This research shows that Russian independent media and human rights groups in exile face the same type of advanced phishing attacks targeting current and former U.S. officials. However, they have far fewer resources to protect themselves and the risks of breach are far more severe,” said Natalia Krapiva, senior technology counsel at Access Now.
Nearly all of the targets who spoke to investigators remained anonymous for their own safety, but were described as prominent Russian opposition figures in exile, non-governmental personnel in the U.S. and Europe, funders and media organizations. One thing most of the targets have in common, investigators said, is their “extensive networks among sensitive communities.”
The most common tactic observed involved the threat actor initiating an email exchange with a target by posing as someone the target knows and asking them to review a document. Typically, a PDF purporting to be encrypted using a privacy-focused service such as ProtonDrive was attached, and a login page might even be pre-populated with the target’s email address, making it appear legitimate. If the target enters their password and a two-factor code, the attacker can obtain information that is sent back to them, which in turn gives them access to the target’s email account.
“Once these attackers have access to credentials, we believe they will immediately work to access email accounts and any online storage, such as Google Drive, to extract as much sensitive information as possible. There are immediate risks to life and safety, especially if those accounts contain information about people still in Russia,” said Rebekah Brown, senior researcher at Citizen Lab.