As European elections 2024 loom, Russia’s “espionage tactics” targeting European Union politicians and EU military establishments, among others, are becoming more sophisticated and better resourced, experts have told Brussels Signal.
An apparent Russian spy-service-linked cyber group, which Western intelligence and cybersecurity operators refer to as “ColdRiver”, is fast developing “fake-colleague relationships” with NATO-affiliated government and military targets.
It allegedly then sends “infected” PDF files to the group’s contacts, containing espionage malware allowing its members to access targets’ computers.
According to a January 19 report from Google’s Threat Analysis Group (TAG), ColdRiver successfully grabbed messages and data from senior UK establishment officials in December last year.
It is also targeting former senior intelligence and military officers, Ukraine, Eastern European military groups, high-profile universities and NGOs, TAG said.
Adam Goss, who works in cybersecurity at mobile operator Giffgaff and as a senior threat analyst at UK-based business process services provider Capita, told Brussels Signal: “This shift in tactics shows a significant increase in the threat-actor’s capabilities.”
ColdRiver operators have “expanded their tactics to using custom malware written in the Rust programming language”, originally developed by an employee of US-based NGO Mozilla, when previously they “relied on commodity malware and phishing campaigns,” he said.
Writing custom malware in a programming language such as Rust “requires time, effort and an advanced developer skillset”, Goss said.
That could mean ColdRiver was “now targeting organisations that have better cyber security, hence requiring custom malware to bypass their defences”, he added.
It may also be a sign “the Russian Government is investing more resources into this particular group, hence we see more advanced capabilities”.
Oliver Pinson-Roxburgh, founder of three UK cybersecurity start-ups, told Brussels Signal that, typically, such attackers would be “very surgical in the way they target their victims and use a combination of techniques”.
To gain the trust of its targets, ColdRiver often uses “impersonation accounts”, TAG said in its latest report.
Such an account-holder will pretend to be an expert in a particular field, or affiliated somehow with the target.
After establishing a rapport with the target, the account-holder will eventually send a PDF document containing the malware.
The EU constitutes an especially prime target, experts said, with nine Member States holding national elections in 2024. Five more will have regional or local elections and the entire EU will also vote for MEPs in June.
Russia, Goss said, is also targeting the US that, likewise, has national elections approaching.
In defending against cyber-attacks, though, the EU often lags behind the US, he said, which has closer ties to its Big Tech and a “different approach” to privacy legislation and data sharing, he said.
The “biggest differences are in the legislation and intelligence sharing”.
The US “typically avoids heavy legislation around data privacy at the State-level, whereas the EU has a heavy-handed approach and strongly enforces this through big fines, like [via] GDPR [EU General Data Protection Regulation laws]”.
The US Government has the most widespread access to intelligence worldwide, Goss said, and has strong ties to Big Tech “because most of it is US based”, so Washington “provides them access first”.
Microsoft and Google (including TAG) have close working relationships with US governmental agencies and companies and individuals likely to be in Russia’s sights for cyber-attacks.
Pinson-Roxburgh said the UK Government “does try to share intelligence with tech companies large and small via its Malware Information Sharing Platform (MISP) programme” and “launched a new platform for this recently”.
In the EU, intelligence sharing is mainly done through national-level Computer Emergency Response Teams (CERTs), who get their intelligence from a variety of governmental, non-governmental and foreign sources, Goss said.
“The quality of intel you get is very dependent on how well your CERT is set up – its connections, its sharing capabilities – and what non-national intel-sharing communities you are a part of,” he added.
Pinson-Roxburgh pointed out that European industries such as banking and telecommunications require strong cyber security and do have “good” intelligence-sharing communities.
For many private cybersecurity firms, though, “intelligence is their intellectual property and sharing can be tricky”, he added.
Such sharing “needs to be a priority for everyone in order to effectively stop the sorts of attacks we have been seeing in recent months”.
There also needs to be a way to address data-sharing securely and anonymously but with a means to validate that intelligence with confidence, Pinson-Roxburgh said.
That, he added, “may only be possible using technologies like blockchain”.