Russian Intelligence Hackers Target Kremlin Critics with Phishing Emails

14.08.2024

Citizen Lab and Access Now report on a global phishing campaign linked to Russian espionage efforts.

New research from digital rights organizations Citizen Lab and Access Now reveals that hackers affiliated with Russian intelligence are using phishing emails to target Kremlin critics worldwide. The phishing campaign is described as part of a broad internet espionage operation, coinciding with US officials' vigilance over potential cyber threats to the 2024 presidential election. The emails, which started circulating around 2022, have been sent to exiled Russian opposition leaders, former US think tank and policy experts, academics, US and EU nonprofit employees, and media outlets. Some targets were still in Russia, putting them in significant danger. The phishing emails often impersonated known contacts of the victims to appear more legitimate.

Citizen Lab has linked the attacks to two groups: the well-known Russian hacking collective Cold River, associated with Russia's Federal Security Service (FSB), and a newer group called Coldwastrel, which supports Russian intelligence. The Russian embassy in Washington has not commented on the allegations. One notable victim was a former US ambassador to Ukraine, targeted through an email impersonating a fellow former ambassador. The emails typically contained a PDF prompting a click to decrypt, leading to a fake Gmail or ProtonMail login page, where entering credentials would grant hackers access to the accounts and mailing lists.

Dmitry Zair-Bek, head of the Russian rights group First Department, noted that while the attack was not sophisticated, its effectiveness was due to the unexpected nature of receiving a phishing email from a colleague. The number of targets was in the double digits, with most being targeted this year. Citizen Lab emphasized that the targets had extensive networks within sensitive communities, and a successful compromise could lead to severe consequences, including imprisonment. Cold River, one of the most active Russian hacking groups since 2016, has intensified its attacks on Kyiv's allies following Russia's invasion of Ukraine and has faced sanctions from the US and UK.