Google Uncovers Advanced Malware Campaign by Russian Espionage Group ‘Cold River’
Google’s Threat Analysis Group (TAG) has reported significant advancements in the tactics of a Russian-linked hacking group known as “Cold River,” evolving from phishing to deploying sophisticated data-stealing malware. Cold River, which has also operated under the aliases “Callisto Group” and “Star Blizzard,” is recognized for its long-standing espionage campaigns against NATO countries, particularly targeting the United States and the United Kingdom.
The group’s activities, mainly focused on high-profile individuals and organizations in international affairs and defense, suggest a close connection with the Russian state. This connection was further corroborated by U.S. prosecutors’ indictment of two Russian nationals associated with Cold River in December.
Recent observations by TAG indicate an escalation in Cold River’s activities, implementing new strategies that pose a greater threat to its victims. These victims primarily include entities in Ukraine, NATO allies, academic institutions, and non-government organizations. The findings follow Microsoft researchers’ reports that the group has enhanced its ability to avoid detection.
TAG’s research, set to be published later this week and shared with TechCrunch in advance, reveals that since November 2022, Cold River has shifted from its standard phishing operations to deploying malware through campaigns disguised as PDF documents. These documents, presented as op-ed pieces or similar articles for feedback, are bait for the intended targets. Upon opening these seemingly harmless PDFs, the text appears encrypted. If the recipient reports an inability to read the document, the hacker sends a link to a purported “decryption” utility. This utility, identified by Google researchers as a custom backdoor named “SPICA,” allows the attackers persistent access to the victim’s machine for executing commands, stealing browser cookies, and extracting documents.
Billy Leonard, a security engineer at TAG, informed TechCrunch that the extent of successful compromises using SPICA is not fully known. However, he believes that its use has been limited to highly targeted attacks. Leonard also suggested that SPICA is still under development and is being actively employed in ongoing attacks. Despite various law enforcement actions, Cold River’s activities have remained consistently active over the years.
In response to this discovery, Google has added all identified websites, domains, and files related to the Cold River malware campaign to its Safe Browsing service, aiming to prevent further targeting of Google users. Google researchers have previously linked Cold River to a hack-and-leak operation involving the theft and leaking of emails and documents from prominent Brexit proponents, including Sir Richard Dearlove, the former head of the U.K. foreign intelligence service MI6.