The Decibel - University of Toronto lab unmasks Russian hacking campaign
Episode Date: August 20, 2024By now, most people know how to recognize the signs of a phishing e-mail – poor spelling and grammar, strange sender e-mail addresses, and of course, an instruction to click on a link, where you’r...e asked to put in your banking or login credentials. But these scams are becoming more sophisticated and politically motivated.Last week, Citizen Lab at the University of Toronto uncovered what they’re calling the River of Phish campaign, which uses sophisticated social engineering practices to target people, including a former U.S. ambassador to Ukraine. The Globe’s telecom reporter Alexandra Posadzki is on the show to talk about what Citizen Lab found, how the scheme works, and what we know about the Russia-linked group behind it.Questions? Comments? Ideas? Email us at thedecibel@globeandmail.com
Transcript
Discussion (0)
Most of us have seen our share of phishing scams.
They land in our inboxes, our texts, even our phone calls.
Someone is trying to get us to click on a link or give up personal information.
And by now, we might think we're pretty good at identifying and avoiding them. But a new report from the University of Toronto's Citizen Lab uncovered
a phishing campaign that is much more sophisticated. And international intelligence
believes the group behind it is linked to Russia's security service. So today, we're speaking with
The Globe's Alexandra Pazadsky. She'll tell us what Citizen Lab found, how this phishing campaign works,
and what we know about the mysterious group that's behind it.
I'm Mainika Raman-Wilms, and this is The Decibel from The Globe and Mail.
Alex, great to have you back.
Thanks so much for having me.
So what was actually in last week's report from Citizen Lab?
So what Citizen Lab, along with their research partners, including Access Now, has done is they've found what they call a spear phishing campaign.
So a sophisticated cyber attack, essentially.
And they've managed to link it to this group called Cold River, which is sort of a notorious Russian linked hacking group.
And so what they go through in this report is, you know, how these hacks occur, how they managed to link them to Cold River.
And then also the fact that along with Axis now, they've actually managed to identify what appears to be a whole new threat actor, which they have nicknamed Cold Wastrel.
Wow. Okay. So there's a lot here. We're going to get into Cold River, Cold Wastrel,
what's actually involved in this spear phishing attack. But let's just kind of lay out, this
report is from a group called Citizen Lab. This is out of the University of Toronto.
Just briefly, Alex, who is this group? What do they do? How do they operate?
So Citizen Lab, they're a lab essentially based out
of UFT's Munk School of Global Affairs and Public Policy. And they do research on sort of things at
the intersection of information and communication technologies, human rights and global security.
And, you know, they're funded by various foundations. And so they've done a lot of research specifically looking at different
cyber attack campaigns and linking them to sort of state actors around the world.
Okay. Okay. So let's actually get into these hacking attacks and that they were looking at.
Can we start by talking about the people, I guess, that they were targeting? So who were
these attacks actually targeting? So the one common thread between all of these attacks is essentially some kind of connection to Russia, Belarus or Ukraine.
And what they found is that the attackers were targeting people who are seen to be enemies of the Russian state.
And so they could be, for example, Russian opposition figures who are living in exile. In one case, they went after a former
U.S. ambassador to Ukraine, Stephen Pfeiffer, who is now working at a U.S. think tank. A lot of the
victims that they were targeting actually chose to remain confidential in order to sort of protect
their privacy and their security. But a few of them did come forward, including an investigative journalism group
out of Russia that has done a lot of high profile investigations into Russian state corruption.
Do we know, Alex, what the hackers were trying to gain?
Essentially, what they're trying to do through these attacks is get the target's credentials
to be able to log into their email account. And so they're looking at people who have a lot of connections in these sort of sensitive communities. So for example,
Russian dissidents. And so then they're able to get into their email accounts and presumably
pull out some kind of intel or, you know, use access to that person's email account to then
go after and target people that they have
contacts to. Okay. And you use the term spear phishing a little earlier to describe these
attacks. So explain what that means. How does this attack actually work? Yeah. So spear phishing is a
type of phishing and phishing is a social engineering attack. So what that means is that
it's essentially trying to trick people into doing something. So revealing sensitive information or perhaps installing malware onto their devices.
And spear phishing is a more advanced form of phishing.
And so whereas phishing, you know, we all get phishing emails and someone saying,
hey, this is Amazon, your delivery is delayed.
Click here and log into your Amazon account to track it.
Or this is your bank.
Please insert your banking information because someone's compromised your Amazon account to track it. Or this is your bank, please insert your
banking information because someone's compromised your bank account or what have you. So spear
phishing is much more targeted and specific. And so rather than sending out these emails to
large swaths of the population, they're actually going after very specific individuals. And so
what we saw in these attacks is a lot of research that the attackers
are doing into their targets. They're figuring out what kind of work they're doing, what they're
interested in. And they're sending out these emails impersonating people that the targets
know personally. And they're doing it in such a convincing manner that in some cases, the targets
actually thought that they were communicating with the person who was being impersonated.
So they've gathered all this intel.
Like you said, they do research on who this person is, who they might be working with or communicating with.
And then they impersonate someone that they think that individual will know then.
So in the example of a media organization, it might look like them finding out who your editor is and pretending to be your editor and saying, hey, I have the edits on your latest story. Can you please review these? And then there's an attachment, which is a PDF. And when you open that PDF, it looks like or it's mimicking what the target might think is an encrypted file. And it's saying, you know, this is an encrypted file,
please click here to decrypt.
And it's when you click that it then takes you to a website
that looks like your email server.
So it mimics Gmail or ProtonMail
or whatever email server you use.
And then it asks you to put in your username
and your password.
And so that information is then being sent to the hackers
and then they can use it to essentially log into your password. And so that information is then being sent to the hackers, and then they can use
it to essentially log into your email. And they've even found ways to bypass two-factor authentication.
Wow. It really does seem like this group Cold River, these hacking attacks are finding ways
to get their targets guard down and trust, I guess, the person who's supposedly sending this
email. So how do they build that trust?
Like, how do they establish that with their target?
Well, actually, one of the really frightening things that came out of this report is that
in some cases, they're actually not even sending the document right away.
So, you know, we've all, of course, been trained to look for emails with attachments that we're
not expecting, unsolicited
attachments. We're all on high alert for them. But in some cases, they're actually establishing
contact and trying to develop trust and communication with the target before they even
send the PDF, or maybe they're pretending to forget the PDF. And so they've seen in some cases,
the target themselves asking for the attachment. And so at that point,
it's no longer an unsolicited attachment. It's something that is actually being solicited by
the target. And so then they're much more likely to fall for it, essentially.
Yeah. There's like, you know, this person, you're working with this person. So you're
trusting that what you're getting from them is real. Let's actually dig into the group that's
behind these phishing attacks then. Who is Cold River? Yeah, so Cold River has actually
been reported on quite extensively over the past several years. And there's this advisory from a
group of cybersecurity and intelligence agencies from each of the Five Eyes intelligence countries.
And so the Five Eyes, of course, are Canada, the US, Britain, Australia, and New Zealand.
It's basically like a security network.
They share information.
They share information, exactly.
And so they've put out this advisory where they've actually said that Cold River is almost
certainly doing hacking on behalf of the Russian FSB.
And so the Russian FSB. And so the Russian Intelligence Agency, and they've actually
specifically linked it to a sector of the FSB. Wow. And I understand too, that like,
there was a whole bunch of different names, but we think now this is all the same group. Can you
just, I guess, walk me through that and how we understand how this is working?
So essentially, there's different groups that have been doing research into this threat
actor.
And so they've all given them different nicknames.
So some call them Star Blizzard, some call them Callisto Group or Blue Callisto.
At one point, they were referred to as Seaborgium.
And what has come out of all of these different attempts at researching this threat actor
is they all kind
of are, you know, using the same tactics and the same technology. And so these research groups,
when they dig into them, they can identify that it appears to be the same threat actor.
We'll be back after this message. Of course, Citizen Lab studies lots of different cybersecurity issues,
threats. What did they say was particularly notable about this one? Like, why is this
something that, you know, people are paying attention to? Well, what's really kind of
unsettling about it from the perspective of one of the Citizen Lab senior researchers that I spoke
to is that in spite of all this publicity and all of this press that this group has gotten,
over recent years, they're actually still continuing persisting in their attacks,
which is quite bold. They haven't stopped. They haven't really like changed up their tactics.
They're actually kind of still out there doing their thing, even though there's quite a bit of
awareness about them now.
Wow. How does this fit into the larger history of Russian cyber espionage?
Well, Russian cyber espionage has been going on for decades. And, you know, it's undertaken by
multiple state security agencies and sometimes actually with the participation of organized
crime groups or private sector entities. And it's actually not even the first time that Citizen Lab has done a report on this.
For example, in 2017, they published this report talking about a hack that was sort of Russian-aligned,
which they referred to as tainted leaks.
And it was also looking into a phishing operation that had targeted 200 different people across 39 countries.
And some of the targets included government officials, military officials, CEOs of energy companies.
So obviously not the first time that a Russian state organization or state agency has done
this and not the first time the Citizen Lab has looked into it.
And way earlier in our conversation, Alex, you mentioned that Citizen Lab also identified another threat actor. So can we talk about that? What else did they find?
So what happened here is actually this other group called Access Now had been contacted by
various people who had been targeted by a spear phishing campaign. And they thought maybe at first
that it was also a cold river. And when they started
digging into these attacks, they actually found that while the tactics that were being used
were very similar to cold rivers tactics, there were actually some notable differences.
And so what the researchers at Citizen Lab and Access Now have determined is that this is very likely a separate threat actor.
It could also perhaps be an existing threat actor that's kind of decided to switch up their tactics.
But there were enough differences there that they don't think that this is part of the river of fish campaign, as Citizen Lab has called it, that is associated with Cold River that they're studying here.
They think it's potentially a separate threat actor. And so some of the differences that they found were,
for example, the version of PDFs that were being used, the links that were being used were, you
know, distinct links with the River Fish campaign versus using the same link for this new threat
actor. And also, I think the language was different. So English in the River Fish campaign
versus Russian in this other campaign by this threat actor that they have dubbed Cold Waste
Troll. I think what a lot of us may be thinking about is, of course, the U.S. election is coming
up, right? We've seen before, you know, interference in an attempted interference in a lot of elections
as well. Is there any indication that a group like this might attempt to target the election?
I think when you have something as politically charged and high stakes as a U.S. election,
you are going to see more phishing attacks,
more spear phishing attacks,
more disinformation campaigns.
And so I think it would be prudent for us all
to be on the lookout for those sorts of things,
especially people who work in media,
people in
positions of political authority, and people who are vulnerable to these type of attacks. Because,
you know, one of the things that comes up in this report is that a lot of the targets in this
campaign, if they were infiltrated successfully, it could be really risky for them. Some of them are,
you know, perhaps Russian opposition figures or Russian media organizations who are actually still living in Russia.
And so for them to be compromised, it could potentially result in physical harm and violence and imprisonment.
And so it's really high stakes for some of these targets.
Yeah, I mean, I'm glad you brought that up because we, you know, we briefly kind of talked about the people that have been targeted by this group.
But for a lot of them, it sounds like there are some really severe consequences potentially for being
hacked in this way. Yeah, absolutely. And, you know, maybe not the same level of resources
that targets in the U.S. would have. Yeah. Just lastly here, Cold River's targets seem to be
quite specific. I guess just broadly, though, if people are concerned about this kind of phishing,
you know, as you said, all of us do see these phishing attempts from different actors.
I guess what can we do to protect ourselves?
What are the kinds of things we should really look out for?
Yeah, so they do in this report kind of list a number of steps that people can take to
protect themselves.
One of them, of course, is using two-factor authentication.
And specifically, they recommend not using SMS or text messages for your two-factor authentication,
but setting up an authenticator app.
So that's going to provide a greater level of security.
There's also other things you can do.
So if you get an email from someone that is asking you to open an attachment, you should
check your inbox for that person's email address and see whether the email you've received
most recently, whether the address is exactly the same as maybe past emails email you've received most recently, whether the address
is exactly the same as maybe past emails that you've received from that person. So is there that
one letter of misspelling or an extra period or something that would suggest that maybe
the person sending you the email is not actually the person that you think that it is? You can
connect with that person via a different medium. So a phone call or a text
message. Another thing that was really interesting about these attacks is they actually seem to be
capitalizing on a lack of understanding of how encryption works. Because these PDFs that people
would open, they would show this kind of blurred text. And then over top of it would be like click to
decrypt. And apparently just the actual visual appearance of it is very, very different from
an actual encryption service. And so a lot of the people who were being targeted, they didn't
necessarily know how a file would actually look if it were encrypted. So like, according to this
report, that blurred text, like that's not how it would appear. So, you know, maybe familiarizing yourself with
encryption technology would be a good step. And, you know, they suggest like just not clicking,
don't don't open the document. Oh, and then of course, you know, if you use a service like
Gmail, you can actually go in and check the access logs to see sort of when your account
was accessed and whether, you know, it looks like somebody other than you was logging into your
account. And so there's, you know, a bunch of different things that you can do. But the key
takeaway really is just to remain vigilant and on the lookout. You know, I think, I think what
really took people by surprise here is just the level of sophistication to these attacks, right?
Because it's, you know,
we all know what a phishing email looks like, we get all of that corporate training to help us sort
of identify phishing emails, but we're not necessarily used to somebody who is, you know,
put so much research and time and energy into impersonating someone that we know someone who
knows what we're working on. And so I think we need to just be more vigilant than ever and not assume
that the person you're corresponding with, especially if they're trying to get you to
open a PDF and review a document, that they're actually who they say they are. And so we need
to be a little bit suspicious and maybe it feels a little bit extra sometimes to be that suspicious
of people you're communicating with, but better safe than sorry. Alex, always
great to have you here. Thank you so much. Thank you. That's it for today. I'm Mainika Raman-Wilms.
Our producers are Madeline White, Rachel Levy-McLaughlin, and Michal Stein. David Crosby
edits the show. Adrienne Chung is our senior producer
and Matt Frainer is our managing editor.
Thanks so much for listening
and I'll talk to you tomorrow.