Russian Cyber Spy Group Linked to Latest Malware Attack According to Google

Google researchers say they have evidence that a notorious Russian-linked hacking group — tracked as “Cold River” — is evolving its tactics beyond phishing to target victims with data-stealing malware. Cold River, also known as “Callisto Group” and “Star Blizzard,” is known for conducting long-running espionage campaigns against NATO countries, particularly the United States and the United Kingdom. Researchers believe the group’s activities, which typically target high-profile individuals and organizations involved in international affairs and defense, suggest close ties to the Russian state. Google says that on discovery of the Cold River malware campaign, the technology giant added all of the identified websites, domains, and files to its Safe Browsing service to block the campaign from further targeting Google users. Google researchers previously linked the Cold River group to a hack-and-leak operation that saw a trove of emails and documents stolen and leaked from high-level Brexit proponents, including Sir Richard Dearlove, the former head of the U.K. foreign intelligence service MI6.

Google researchers have uncovered evidence that a well-known Russian-linked hacking group, known as “Cold River,” is adapting their tactics, moving beyond phishing schemes to using malware to infiltrate and obtain sensitive data from their targets.

Previously referred to as “Callisto Group” and “Star Blizzard,” Cold River has a long history of conducting malicious campaigns against NATO nations, with their primary targets being the United States and the United Kingdom.

Experts believe that the group’s activities, which commonly aim at high-profile individuals and organizations involved in international affairs and defense, suggest direct ties to the Russian government. In December of last year, U.S. prosecutors indicted two Russian citizens believed to be members of this group.

The Threat Analysis Group (TAG) at Google has released a new report this week, highlighting Cold River’s recent increase in malicious activity and their use of more advanced tactics that have the potential to cause significant damage to their victims. While primarily targeting Ukraine and its NATO allies, the group has also set their sights on academic institutions and non-government organizations.

This update comes shortly after researchers from Microsoft discovered that Cold River had enhanced their ability to avoid detection.

In their research shared with TechCrunch, TAG states that Cold River has shifted their strategy from attempting to steal credentials through phishing scams to utilizing malware distributed through PDF documents as bait.

These PDF documents have been distributed since November of 2022 and appear as opinion-editorial pieces or other types of articles that the targeted individual or organization would be interested in providing feedback on. Once opened, the document will show as encrypted text. If the victim informs the sender that they cannot read the document, the hacker will send a link to a “decryption” tool, which TAG has discovered to be a customized backdoor with the name “SPICA.” This backdoor grants the attackers constant access to the victim’s computer, allowing them to execute commands, steal browser information, and extract sensitive documents.

The security engineer Billy Leonard from TAG confirmed that they do not currently have the exact number of victims who were successfully compromised by the SPICA backdoor. However, the company believes that the tool was used in specific and targeted attacks. Leonard also states that the malware is still being improved upon and used in ongoing attacks. He also mentions that Cold River’s activity has not significantly decreased despite legal action taken against them.

Upon discovering this malware campaign, Google immediately added all identified websites, domains, and files to their Safe Browsing service to prevent the group from targeting any more Google users.

In past research, Google has connected Cold River to a hacking and data-leaking operation where hackers leaked a large amount of emails and sensitive documents from prominent figures advocating for Brexit, including Sir Richard Dearlove, former director of the MI6 intelligence agency in the U.K.

Avatar photo
Dylan Williams

Dylan Williams is a multimedia storyteller with a background in video production and graphic design. He has a knack for finding and sharing unique and visually striking stories from around the world.

Articles: 575

Leave a Reply

Your email address will not be published. Required fields are marked *