Russian opposition politician Ilya Ponomarev says he saw no reason to be suspicious when he received what appeared to be an email from former U.S. ambassador to Russia Michael McFaul, a trusted contact with whom he communicates periodically.
“This letter was visually no different from his other letters. I believed that it was his letter because it was visually no different from his other letters,” Ponomarev told VOA Russian in a Zoom interview.
But this email from several months ago turned out to be one of numerous “phishing attacks” targeting U.S. diplomats and others that have been identified as the work of two cyber-espionage outfits linked to the Russian government. And the fact that it accurately mimicked McFaul’s previous messages indicated the attackers had already seen those earlier messages.
“The letter contained a reference to a report on Ukraine that McFaul supposedly intended to deliver in China, and also a request to check whether he had mixed something up,” Ponomarev said. McFaul did in fact deliver a lecture to Chinese students in April.
McFaul has confirmed to VOA that he was the target of a hacker attack but did not elaborate. The details of the attack were revealed in a recent joint report from the digital rights group Access Now and the Canadian research nonprofit Citizen Lab.
The report says the attacks were conducted between October 2022 and August 2024 by two “threat actors close to the Russian regime” known as ColdRiver and ColdWastrel.
According to The Washington Post, “multiple governments” have said that ColdRiver works for the Federal Security Service, or FSB, the successor agency to the Soviet KGB, while ColdWastrel is believed to be “working for another Russian agency.”
Among their targets were exiled Russian opposition figures, employees of U.S. think tanks, former U.S. ambassadors to Russia, Ukraine and Belarus, political figures and academics, employees of American and European non-profit organizations, and media organizations.
VOA has spoken with several of those named as victims, including former U.S. Ambassador to Ukraine John Herbst, a Russian journalist and a Russian human rights activist, as well as Ponomarev and McFaul.
The goal of phishing attacks is to try to get a user to click on a malicious link or enter their data – login and password – on a fake website. If the attack is successful, hackers gain access to the victim’s confidential information, including correspondence, contact lists and, in some cases, financial information.
Hackers conducting phishing campaigns employ a technique called “social engineering,” which a leading American cyber security software and services company described as using “psychological manipulation” designed to trick users into divulging sensitive information.
Herbst, who is currently director of the Atlantic Council’s Eurasia Center, told VOA that he has been facing attacks from Russian hackers for the past 10 years.
The Kremlin “didn’t like from the beginning what I was doing because I was pointing out that they’re conducting an illegal invasion of Ukraine, I guess going back to 2014,” he said.
Herbst said that Russian hackers target people who take a public position aimed at countering Moscow’s aggressive foreign policy: “So, it’s not surprising that people like Steve Pifer or Michael McFaul, or myself have received attention from the FSB, the GRU [Russian military intelligence] and others.”
Herbst added: “I don’t want to overstate the attention they give to us. You know, we are pretty much tertiary or even less than tertiary players on the international political scene, but they know they have such a massive security apparatus that they give some low-level guy the job of following people like me.”
“The stuff that linked me with Mike McFaul or Steve Pifer … was a fishing expedition, right? [To] see if they could get one of them to say something in confidence to me, which would be embarrassing.”
Steven Pifer did not respond to a VOA request for comment on the details of the hacker attack.
Ponomarev said that he responded to the fake McFaul email, but did not have time to download the malicious file attached to it since he was on a plane when he opened the email, and it was inconvenient to download the file from a phone.
“When I opened it on my computer, I noticed that the address he sent it to me from was not his usual Stanford University address, it was something completely different,” Ponomarev told VOA.
“Being an IT guy, I looked at the IP address of the file in the email and was convinced that it was phishing. After that, I passed the information on to the competent authorities so that they could look into the matter further.”
Ponomarev added that the fact the email ostensibly sent by McFaul came from a Proton service mailbox did not initially arouse any particular suspicions.
“I also have an address on Proton, for some kind of confidential correspondence,” he said, noting that attackers can forge addresses on Proton by changing one letter, so that visually it still looks like a regular mailing address.
“They use it because it’s completely anonymous,” Ponomarev added. “You can’t trace an IP address to Proton, so when you use Proton, it’s a dead end, you can’t excavate it any further.”
Polina Machold, publisher of Proekt, an independent Russian media outlet specializing in investigative journalism, told VOA that in the phishing attack targeting her, which took place last November, the hackers also employed social engineering and the Proton mail service.
“I received a letter from a ‘colleague’ from another media outlet, with whom we had previously done a joint project, asking to look at a new potential project or something like that,” Machold told VOA.
“We corresponded for some time, and when it came to opening the file, I discovered that something very suspicious was going on, because the link in the file supposedly led to Proton Drive, but the domain was something completely different.”
Machold said she called a colleague who confirmed that the attacker was pretending to be him. The information was passed on to Citizen Lab, which determined that hackers likely associated with the FSB were behind the attack.
Dmitry Zair-Bek, who heads First Department, a Russian rights group, said that a member of his group was among the first targets of a hacker attack “because we defend people in cases of treason and espionage.”
“One of our employees received an email from an address that mimicked the address of one of our partners,” he said. “The email contained a link that led to a phishing site.”
Zair-Bek added that the ColdWastrel group carried out the attack targeting First Department.
“They are the ‘C’ students of the hacker world,” Zair-Bek said of ColdWastrel. “The idea is the same as the ColdRiver group, they just paid less attention to some small details.
“The fact that they are ‘C’ students does not mean that they are less effective. They choose a person who from their point of view, on the one hand, has the largest amount of information that interests them and, on the other hand, is the most vulnerable.”
Even someone well-versed in digital security issues can fall for the bait of hackers, says Natalia Krapiva, an expert at Access Now, which co-authored the report on the Russian hacker attacks.
“The ColdRiver and ColdWastrel groups use quite sophisticated social engineering, a very good understanding of the context,” she told VOA.
“They know how the organization is structured in general, which people are responsible for finance, HR, politics, and so on. That is, they know which employee to send this [phishing] email to. They also understand with whom these organizations interact and on what issues.”
“We have seen examples of exploiting existing relationships between a Russian and an American human rights organization,” Krapiva added, noting that hackers knew that one of the organizations was waiting for a grant application and sent a malicious PDF file to the employee who was waiting for it.
This suggests that hackers already have a certain amount of information at the time they attempt to attack their victims, she said.