Google researchers say they have evidence that a notorious Russian-linked hacking group — tracked as “Cold River” — is evolving its tactics beyond phishing to target victims with data-stealing malware.
Cold River, also known as the “Callisto Group” and “Star Blizzard”, is known for conducting long-running espionage campaigns against NATO countries, particularly the United States and the United Kingdom.
Investigators believe the group’s activities, which typically target high-profile individuals and organizations involved in international affairs and defense, indicate close ties to the Russian state. US prosecutors in December indicted two Russian nationals linked to the group.
Google’s Threat Analysis Group (TAG) said in a new study this week that it observed Cold River intensifying its activity in recent months and using new tactics capable of causing greater disruption to its victims, primarily targets in Ukraine and its allies. in NATO, academic institutions and non-governmental organizations.
These latest findings come on the heels of Microsoft researchers reporting that the Russia-aligned hacking group had improved his ability to evade detection.
In research shared with TechCrunch ahead of its release Thursday, TAG researchers say Cold River has continued to shift beyond its usual credential phishing tactic to delivering malware through campaigns that use PDF documents as bait .
These PDF documents, which TAG said Cold River has delivered to targets since November 2022, are disguised as an editorial opinion piece or other type of article on which the fake account wants to solicit feedback.
When the victim opens the benign PDF, the text appears as if it is encrypted. If the target replies that it can’t read the document, the hacker will send a link to a “decryption” utility, which Google researchers say is a custom backdoor tracked as “SPICA.” This backdoor, which Google says is the first custom malware developed and used by Cold River, gives attackers persistent access to a victim’s machine to execute commands, steal browser cookies and extort documents .
Billy Leonard, a security engineer at TAG, told TechCrunch that Google doesn’t have visibility into the number of victims successfully breached with SPICA, but said the company believes SPICA was only used in “very limited, targeted attacks.” Leonard added that the malware is likely still under active development and use in ongoing attacks, and that Cold River’s activity has “remained fairly consistent over the past several years,” despite law enforcement actions.
Google says that upon discovering the Cold River malware campaign, the tech giant added all identified websites, domains and files to its Safe Browsing service to prevent the campaign from further targeting Google users.
Google investigators previously linked the Cold River group to a hack-and-leak operation that saw a trove of emails and documents stolen and leaked from high-ranking Brexit supporters, including Sir Richard Dearlove, the former head of Britain’s foreign intelligence agency MI6.
