Google researchers have uncovered evidence that a well-known Russian-linked hacking group, known as “Cold River,” is adapting their tactics, moving beyond phishing schemes to using malware to infiltrate and obtain sensitive data from their targets.
Previously referred to as “Callisto Group” and “Star Blizzard,” Cold River has a long history of conducting malicious campaigns against NATO nations, with their primary targets being the United States and the United Kingdom.
Experts believe that the group’s activities, which commonly aim at high-profile individuals and organizations involved in international affairs and defense, suggest direct ties to the Russian government. In December of last year, U.S. prosecutors indicted two Russian citizens believed to be members of this group.
The Threat Analysis Group (TAG) at Google has released a new report this week, highlighting Cold River’s recent increase in malicious activity and their use of more advanced tactics that have the potential to cause significant damage to their victims. While primarily targeting Ukraine and its NATO allies, the group has also set their sights on academic institutions and non-government organizations.
This update comes shortly after researchers from Microsoft discovered that Cold River had enhanced their ability to avoid detection.
In their research shared with TechCrunch, TAG states that Cold River has shifted their strategy from attempting to steal credentials through phishing scams to utilizing malware distributed through PDF documents as bait.
These PDF documents have been distributed since November of 2022 and appear as opinion-editorial pieces or other types of articles that the targeted individual or organization would be interested in providing feedback on. Once opened, the document will show as encrypted text. If the victim informs the sender that they cannot read the document, the hacker will send a link to a “decryption” tool, which TAG has discovered to be a customized backdoor with the name “SPICA.” This backdoor grants the attackers constant access to the victim’s computer, allowing them to execute commands, steal browser information, and extract sensitive documents.
The security engineer Billy Leonard from TAG confirmed that they do not currently have the exact number of victims who were successfully compromised by the SPICA backdoor. However, the company believes that the tool was used in specific and targeted attacks. Leonard also states that the malware is still being improved upon and used in ongoing attacks. He also mentions that Cold River’s activity has not significantly decreased despite legal action taken against them.
Upon discovering this malware campaign, Google immediately added all identified websites, domains, and files to their Safe Browsing service to prevent the group from targeting any more Google users.
In past research, Google has connected Cold River to a hacking and data-leaking operation where hackers leaked a large amount of emails and sensitive documents from prominent figures advocating for Brexit, including Sir Richard Dearlove, former director of the MI6 intelligence agency in the U.K.