Russian hacking group COLDRIVER (also known as Cold River, UNC4057, Star Blizzard, and Callisto) is targeting United States nuclear facilities, as well as other “high profile” targets around the world, using custom, “lure-based” backdoor malware. These other targets can be non-governmental organizations (NGOs), former intelligence and military officials, and NATO governments, according to a report by Google’s Threat Analysis Group (TAG).
The group has been tracked for years by Google TAG, Microsoft, and even the U.S. Department of Justice for conducting cyber espionage activities in alignment with Russian government interests.
U.S. DOJ indicts two Russian Nationals for hacking U.S., U.K., and NATO allies
According to a report by the DOJ released December 7, 2023, two Russian nationals were charged with hacking into computers in the U.S., U.K., NATO allies, and Ukraine, all while working with Russia’s Federal Security Service (FSB). The FSB is the successor to the Soviet-era KGB.
The hackers, Ruslan Aleksandrovich Peretyatko (Перетятько Руслан Александрович), an officer in Russia’s Federal Security Service (FSB) Center 18, Andrey Stanislavovich Korinets (Коринец Андрей Станиславович) and other unindicted conspirators “employed a sophisticated spear phishing campaign to gain unauthorized, persistent access into victims’ computers and email accounts,” according to the DOJ statement.
Notably, COLDRIVER is charged with stealing information used in foreign malign influence operations to influence the U.K.’s 2019 Elections.
“The FBI will not stand idly by as Russia continues to perpetuate this type of targeted malicious activity,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “Russian interference through malign foreign influence campaigns is deplorable, and we will not tolerate it in the United States or directed against our foreign partners. The FBI is dedicated to combating this pervasive threat and will tirelessly seek to prevent and disrupt these criminal acts carried out by Russia.”
COLDRIVER using custom “lure” malware delivery
The Google TAG report on COLDRIVER reviews how the hacking group leveraged sending targets seemingly benign encrypted PDF documents from hijacked or impersonated email accounts. COLDRIVER sends the attachment to targets masquerading as seeking feedback on an op-ed or article for publication.
Once a target responds that they can’t seem to view the encrypted attachment, the COLDRIVER hackers send the target a new link, usually hosted on a cloud storage account, that is supposedly a “decryption tool.”
Once the target downloads the “decryption tool,” they will see a decoy document, but in actuality, it is designed as a malicious backdoor, tracked as SPICA. This provides persistent access to the target for COLDRIVER hackers to exploit.
The hackers can then use the backdoor to execute commands on the infected system, upload files, exfiltrate data, and perform other cyber espionage-related activities.
SPICA backdoor malware
In its report, TAG has documented and provided SHA256 hashes of detected “SPICA” backdoor malware attachments in the wild. First detections are as early as November 2022, and have been hosted in .ZIP, .EXE and .PDF formats. Google also has provided a YARA rule for detection.
Microsoft has also outlined extensive tactics, techniques, and procedures (TTPs) that COLDRIVER, or the pseudonym it uses for the group, “Star Blizzard,” on its blog.
