Google Threat Analysis Group published a post titled “Tracking cyber activity in Eastern Europe”. In it, the Google experts describe how Russian hackers carried out very targeted phishing attacks on a NATO competence center. The group COLDRIVER should be responsible for it.
The group COLDRIVER, a Russia-based threat actor sometimes referred to as Calisto, has launched credential phishing campaigns targeting several US-based NGOs and think tanks, a Balkan country's military and a Ukraine-based defense company. The group was observed and recorded years ago by F-Secure experts (now WithSecure) in their attacks.
Spear phishing against NATO
However, for the first time, TAG has observed COLDRIVER campaigns targeting the militaries of several Eastern European countries as well as a NATO center of excellence. These campaigns were sent to non-Google accounts via newly created Gmail accounts, so the success rate of these campaigns is unknown. No Gmail accounts were observed to be successfully compromised during these campaigns.
According to Google, the following phishing domains using COLDRIVER credentials have been observed
- protect-link[.]online
- drive-share[.]live
- Protection Office[.]live
- proton-viewer[.]com
According to the Reuters news agency, NATO has confirmed the hacker attack on its competence center. "The NATO competence centers work together with the alliance, but are not part of NATO itself," the military alliance told the Reuters news agency. However, NATO does not want to give any further details on the attack. However, it said: “We see malicious cyber activities on a daily basis”.
More at Blog.google