Russian hacking attacks target former US ambassadors and reveal past infiltrations

Russian opposition politician Ilya Ponomarev says he saw no reason for suspicion when he received an alleged email from former U.S. Ambassador to Russia Michael McFaul, a trusted contact with whom he regularly communicates.

“This letter was visually no different from his other letters. I believed it was his letter because it was visually no different from his other letters,” Ponomarev said in a Zoom interview with VOA Russian.

But that email, from several months ago, turned out to be one of numerous “phishing attacks” targeting U.S. diplomats and others, identified as the work of two cyber-espionage organizations linked to the Russian government. And the fact that it closely mimicked McFaul's earlier messages suggested that the attackers had already seen those earlier messages.

“The letter contained a reference to a report on Ukraine that McFaul allegedly wanted to present in China, as well as a request to check whether he had mixed anything up,” Ponomarev said. In fact, McFaul gave a lecture to Chinese students in April.

McFaul confirmed to VOA that he was the target of a hacking attack, but did not elaborate. The details of the attack were recently revealed in a joint report by digital human rights group Access Now and Canadian nonprofit research organization Citizen Lab.

According to the report, the attacks were carried out between October 2022 and August 2024 by two “threat actors affiliated with the Russian regime” named ColdRiver and ColdWastrel.

Accordingly The Washington PostAccording to “several governments,” ColdRiver works for the Federal Security Service (FSB), the successor to the Soviet KGB, while ColdWastrel presumably works “for another Russian service.”

Their targets included Russian opposition figures living in exile, employees of American think tanks, former US ambassadors to Russia, Ukraine and Belarus, politicians and academics, employees of American and European non-profit organizations and media companies.

VOA spoke to several of the people named as victims, including former U.S. Ambassador to Ukraine John Herbst, a Russian journalist and a Russian human rights activist, as well as Ponomarev and McFaul.

The goal of phishing attacks is to trick a user into clicking on a malicious link or entering their details – login and password – on a fake website. If the attack is successful, hackers gain access to the victim's confidential information, including correspondence, contact lists and, in some cases, financial information.

In their phishing campaigns, hackers use a technique called “social engineering.” A leading U.S. cybersecurity software and services company described it as “psychological manipulation” aimed at tricking users into revealing sensitive information.

Herbst, who is currently director of the Atlantic Council's Eurasia Center, told VOA that he has been subjected to attacks by Russian hackers for the past 10 years.

The Kremlin “didn't like what I was doing from the beginning because I pointed out that they were conducting an illegal invasion of Ukraine that went back, I guess, to 2014,” he said.

Herbst said Russian hackers target people who take a public stand and oppose Moscow's aggressive foreign policy: “So it's not surprising that people like Steve Pifer or Michael McFaul or myself have attracted the attention of the FSB, the GRU. [Russian military intelligence] and other.”

Herbst added: “I don't want to overstate the attention they are giving us. You know, we are rather third-rate or even less third-rate actors on the international political stage, but they know that they have such a massive security apparatus that they give an ordinary man the task of monitoring people like me.”

“The things that connected me to Mike McFaul or Steve Pifer… were kind of a fluke, right? [To] see if they can get one of them to tell me something in confidence that would be embarrassing.”

Steven Pifer did not respond to VOA's request for comment on the details of the hacking attack.

Ponomarev stated that he replied to McFaul's fake email but did not have time to download the attached malicious file because he was on a plane when he opened the email and it was inconvenient to download the file from a phone.

“When I opened it on my computer, I noticed that the address he sent it to me from was not his usual address at Stanford University, it was a completely different one,” Ponomarev told VOA.

“As an IT professional, I looked at the IP address of the file in the email and was convinced that it was phishing. I then forwarded the information to the relevant authorities so that they could further investigate the case.”

Ponomarev added that the fact that the email allegedly from McFaul came from a mailbox of the Proton service did not initially arouse any particular suspicion.

“I also have an address at Proton for some kind of confidential correspondence,” he said, pointing out that attackers can spoof addresses at Proton by changing one letter so that it still visually looks like a regular mailing address.

“They use it because it's completely anonymous,” Ponomarev added. “You can't trace an IP address back to Proton. So if you use Proton, it's a dead end, you can't dig it up any further.”

Polina Machold, editor of Proekt, an independent Russian media outlet specializing in investigative journalism, told VOA that hackers also used social engineering and the Proton email service in the phishing attack against her last November.

“I received a letter from a 'colleague' at another media company with whom we had previously done a joint project, asking me to look at a new potential project or something similar,” Machold told VOA.

“We corresponded for a while and when I opened the file, I realized that something very suspicious was going on because the link in the file supposedly led to Proton Drive, but the domain was a completely different one.”

Machold said she called a colleague who confirmed that the attacker was impersonating him. The information was passed on to Citizen Lab, which determined that hackers believed to be linked to the FSB were behind the attack.

Dmitry Zair-Bek, chairman of the Russian human rights group First Department, said a member of his group was among the first targets of a hacker attack “because we defend people in cases of treason and espionage.”

“One of our employees received an email from an address that resembled the address of one of our partners,” he said. “The email contained a link that led to a phishing site.”

Zair-Bek added that the ColdWastrel group carried out the attack on the First Department.

“They are the middle schoolers of the hacker world,” Zair-Bek said of ColdWastrel. “The idea is the same as the ColdRiver group, they just paid less attention to some small details.”

“The fact that they are 'C' students does not mean that they are less effective. They are selecting a person who, in their view, has the greatest amount of information that interests them, on the one hand, and is the most vulnerable, on the other.”

Even someone well-versed in digital security issues can fall for hackers' lures, says Natalia Krapiva, an expert at Access Now who co-authored the report on the Russian hacking attacks.

“The ColdRiver and ColdWastrel groups use pretty sophisticated social engineering and a very good understanding of context,” she told VOA.

“They know how the organization is structured in general, which people are responsible for finance, personnel, politics, etc. That means they know to which employees these [phishing] Email. They also understand who these organizations are interacting with and on what topics.”

“We have seen examples of exploiting existing relationships between a Russian and an American human rights organization,” Krapiva added, noting that hackers knew one of the organizations was waiting for a grant application and sent a malicious PDF file to the waiting employee.

This suggests that hackers already have a certain amount of information at the time they attack their victims, she said.