In the latest episode of the Distilling Cyber Policy podcast, Alex Botting and Jen Ellis from the Center for Cybersecurity Policy & Law are joined by Rebekah Brown and John Scott-Railton, senior researchers at the Citizen Lab. Together, they discuss the Citizen Lab’s “Rivers of Phish” report on sophisticated phishing targeting Russia’s perceived adversaries. The report was a collaborative investigation with Access Now alongside civil society organizations First Department, Arjuna Team, and RESIDENT.ngo.
Scott-Railton and Brown discuss COLDRIVER (also known as STAR BLIZZARD) and COLDWASTREL, two distinct threat actors that share similar targets. While COLDRIVER is a well-known threat actor and is widely attributed to the Russian FSB, COLDWASTREL appears to be a novel group whose targeting also aligns with the interests of the Russian government. Both groups leverage sophisticated deception, using highly tailored phishing messages, combined with just-enough technical sophistication, to evade blocking efforts.
Scott-Railton explained that COLDRIVER typically used innocuous-seeming requests to review relevant documents or proposals. Typically, the attackers would send malicious links only after a target engaged with an initial outreach. The attackers also implemented several technical steps to ‘validate’ that the targets were the individuals clicking links (and not automated scanning by email providers), before displaying phishing pages. This helped them avoid exposing their infrastructure to defenders at email platforms. “It is a clever filter step and scalable,” he adds, emphasizing the efficiency of this tactic.
Brown urges people to be vigilant when receiving emails. She advises individuals to double-check with senders to confirm the authenticity of the message. She notes that authorities are working to counter these attacks, citing recent actions by the U.S. Department of Justice, in coordination with NGO ISAC and Microsoft, to seize domains used in these targeted attacks.
Distilling Cyber Policy is the podcast for those that want to follow and understand global public policy events and developments related to cybersecurity.
Listen to the full episode here.