{
	"id": "e5e63465-a8af-4f01-950f-bd6037d3eeee",
	"created_at": "2026-04-06T00:14:03.253425Z",
	"updated_at": "2026-04-10T13:12:25.320555Z",
	"deleted_at": null,
	"sha1_hash": "5495a3408eaba2930d9c5289ad7f876cc89a22e9",
	"title": "Russian pro-democracy nonprofit investigates alleged data breach by Kremlin-backed hackers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79396,
	"plain_text": "Russian pro-democracy nonprofit investigates alleged data breach\r\nby Kremlin-backed hackers\r\nBy Daryna Antoniuk\r\nPublished: 2024-09-10 · Archived: 2026-04-05 13:18:18 UTC\r\nThe U.S.-based Free Russia Foundation nonprofit said it is investigating a data breach after thousands of emails\r\nand documents supposedly related to its work were published online.\r\nThe organization suspects that the incident  is linked to the Kremlin-sponsored hacker group tracked as Coldriver,\r\naccording to a statement released late last week.\r\nThe Free Russia Foundation describes itself as a “nonprofit, nonpartisan, nongovernmental advocacy and justice\r\norganization led by Russians abroad.” Its most recognized members include Vladimir Kara-Murza, a Russian-British political activist, journalist and former political prisoner.\r\nThe organization’s statement about the attack came a few weeks after digital rights nonprofit Access Now and\r\ndigital forensic organization The Citizen Lab published a report about Russia-aligned phishing campaigns that\r\ntargeted human rights organizations, independent media, and civil society members from Eastern Europe and the\r\nU.S.\r\nThe report identified two threat groups supposedly “close to the Russian regime” who were likely behind the\r\nattack: Coldriver and Coldwastrel.\r\nColdriver’s activity was first discovered by Google in 2022. The group is known for targeting high-profile\r\nindividuals, former intelligence and military officers, and NATO governments. Google reported that the group’s\r\nespionage activities align with the interests of the Russian government.\r\nDuring the attack on the Free Russia Foundation, the hackers reportedly compromised “a number of entities,”\r\nresulting in the theft of correspondence, including grant reports and internal documents, according to the\r\norganization’s statement.\r\n“One of the possible goals of this criminal cyberattack is to serve as a pretext for a new wave of repression against\r\npro-democracy Russians.”\r\nThe Free Russia Foundation said that the attack “didn’t come as a surprise, as everyone who opposes Putin and his\r\nsystem, whether in our team or in other human rights or political opposition organizations, faces risk every day.”\r\n“Despite continuous attacks from the Kremlin and its agents, the Free Russia Foundation remains committed to\r\nstopping the criminal war unleashed by Putin’s regime on Ukraine and to making Russia free and democratic,” the\r\nstatement reads.\r\nhttps://therecord.media/free-russia-foundation-data-breach\r\nPage 1 of 3\n\nThe investigation into the attack is still ongoing, and many details remain unknown. The Free Russia Foundation\r\ndid not reply to Recorded Future News’ request for comment.\r\nEarlier in September, a Russian-language Telegram channel began publishing documents that were allegedly\r\nleaked from the Free Russia Foundation. The hackers claimed they obtained over 2,500 “email chains” and more\r\nthan 13 GB of electronic documents.\r\nThe information likely includes “strategic planning documents and other management data, as well as data on the\r\nfund’s accounting, including receipts,” the hackers said.\r\nUnnamed former employees of the foundation confirmed to Russian independent media that the leaked documents\r\nare genuine, though no other evidence has been provided to support this.\r\nAfter the documents were published online, “we immediately started calling colleagues who might be at direct\r\nrisk and working to support these people, investigate, and deal with other urgent issues,” said Egor Kuroptev, the\r\ndirector of the Free Russia Foundation.\r\nHe suggested that this data leak could be used by hackers as a \"bright demonstration\" of the results of a large-scale\r\nattack against many organizations. “We are going through a difficult period that dozens of organizations have\r\nfaced,” Kuroptev said.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/free-russia-foundation-data-breach\r\nPage 2 of 3\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/free-russia-foundation-data-breach\r\nhttps://therecord.media/free-russia-foundation-data-breach\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/free-russia-foundation-data-breach"
	],
	"report_names": [
		"free-russia-foundation-data-breach"
	],
	"threat_actors": [
		{
			"id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4",
			"created_at": "2023-01-06T13:46:38.581534Z",
			"updated_at": "2026-04-10T02:00:03.029872Z",
			"deleted_at": null,
			"main_name": "Callisto",
			"aliases": [
				"BlueCharlie",
				"Star Blizzard",
				"TAG-53",
				"Blue Callisto",
				"TA446",
				"IRON FRONTIER",
				"UNC4057",
				"COLDRIVER",
				"SEABORGIUM",
				"GOSSAMER BEAR"
			],
			"source_name": "MISPGALAXY:Callisto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3aedca2f-6f6c-4470-af26-a46097d3eab5",
			"created_at": "2024-11-01T02:00:52.689773Z",
			"updated_at": "2026-04-10T02:00:05.396502Z",
			"deleted_at": null,
			"main_name": "Star Blizzard",
			"aliases": [
				"Star Blizzard",
				"SEABORGIUM",
				"Callisto Group",
				"TA446",
				"COLDRIVER"
			],
			"source_name": "MITRE:Star Blizzard",
			"tools": [
				"Spica"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3a057a97-db21-4261-804b-4b071a03c124",
			"created_at": "2024-06-04T02:03:07.953282Z",
			"updated_at": "2026-04-10T02:00:03.813595Z",
			"deleted_at": null,
			"main_name": "IRON FRONTIER",
			"aliases": [
				"Blue Callisto ",
				"BlueCharlie ",
				"CALISTO ",
				"COLDRIVER ",
				"Callisto Group ",
				"GOSSAMER BEAR ",
				"SEABORGIUM ",
				"Star Blizzard ",
				"TA446 "
			],
			"source_name": "Secureworks:IRON FRONTIER",
			"tools": [
				"Evilginx2",
				"Galileo RCS",
				"SPICA"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434443,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5495a3408eaba2930d9c5289ad7f876cc89a22e9.pdf",
		"text": "https://archive.orkl.eu/5495a3408eaba2930d9c5289ad7f876cc89a22e9.txt",
		"img": "https://archive.orkl.eu/5495a3408eaba2930d9c5289ad7f876cc89a22e9.jpg"
	}
}