Cold River

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
Cold River, a sophisticated threat actor linked to the Kremlin, has been engaging in malicious cyber activities for several years. The group, also known as Star Blizzard, Callisto, and UNC4057, is attributed to Center 18 of the FSB, one of Russia's security services sponsoring global cyber espionage. The group's activity, despite law enforcement actions, has remained fairly consistent over time, according to Leonard from Google's Threat Analysis Group (TAG). Cold River's tactics have evolved beyond phishing, with the group now deploying data-stealing malware. Since November 2022, they have been delivering malware-laden PDF documents to their targets. In January, Reuters reported that Cold River targeted three nuclear research laboratories in the United States. This was not an isolated incident; the group has been involved in several other attacks. In fact, following the Russian invasion of Ukraine, Google's TAG reported that Cold River was targeting U.S.-based NGOs, think tanks, military entities in a Balkan country, and a Ukraine-based defense contractor. After discovering these campaigns, Google added all identified websites, domains, and files related to Cold River to its Safe Browsing service. Cold River has developed and used its first publicly known custom malware, dubbed "SPICA". If a target responds that they cannot read a malicious document sent by the hackers, a link to a "decryption" utility is provided, which actually serves as a backdoor for the malware. Despite being used in very limited, targeted attacks, SPICA is believed to be under active development and used in ongoing attacks. While Russia's foreign ministry has dismissed reports on Cold River as anti-Russian propaganda, the continued activity and evolution of this threat actor underscore its potential for disruption and damage.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Cold River Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
USA & Britain Accuse Russia Of Hacking
DARKReading
a year ago
5 Critical Components of Effective ICS/OT Security
CERT-EU
4 months ago
Prolific Russian hacking unit using custom backdoor for the first time
CERT-EU
5 months ago
Britain, US sanction Russian hackers over years-long FSB cyberespionage campaign | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
a year ago
Russian Hackers Almost Took The US Electrical Grid Down | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker - National Cyber Security
CERT-EU
5 months ago
Russia's FSB Hacking UK Politicians NCSC | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
4 months ago
Google warns against new malware campaign spreading through PDFs | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
5 months ago
UK government takes steps to thwart Russia's FSB hackers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting