Google experts believe they have proof that “Cold River,” a prominent Russian hacking outfit, is moving beyond phishing to steal data.
Cold River, also known as “Callisto Group” and “Star Blizzard,” has long spied on NATO nations, mainly the US and UK.
Researchers think the group’s targeting of high-profile international affairs and defense figures suggests strong links to Russia. U.S. prosecutors charged two group members from Russia in December.
In new research released this week, Google’s Threat Analysis Group (TAG) found that Cold River has increased its activity in recent months and used new tactics to disrupt its victims, mostly Ukrainians and NATO allies, academic institutions, and non-governmental organizations.
These results follow Microsoft experts’ assessment that the Russia-aligned hacking organization has improved its evasion.
Before its Thursday release, TAG researchers told Eltrys that Cold River has moved from phishing for credentials to spreading malware via PDF campaigns.
TAG stated Cold River had supplied these PDF documents to targets since November 2022. The fake account is seeking input on an opinion editorial or other material.
When the victim opens the innocuous PDF, the text seems encrypted. If the victim cannot read the paper, the hacker will provide a link to a “decryption” program, which Google researchers allege is a bespoke backdoor called “SPICA.” This backdoor, which Google says is Cold River’s first proprietary malware, allows attackers to execute instructions, harvest browser cookies, and exfiltrate documents.
TAG security engineer Billy Leonard told Eltrys that Google does not know how many people SPICA infected, but it believes SPICA was only used in “very limited, targeted attacks.” Leonard said the malware is likely still being developed and utilized in assaults and that Cold River activity “has remained fairly consistent over the past several years,” despite law enforcement efforts.
After discovering the Cold River malware campaign, Google moved all detected websites, domains, and files to its Safe Browsing program to prevent further targeting of Google users.
Google researchers previously connected the Cold River organization to a hack-and-leak operation that obtained and exposed emails and data from Brexit proponents, including former MI6 head Sir Richard Dearlove.
