Cold River

Threat Actor updated 4 months ago (2024-05-05T02:17:36.670Z)
Download STIX
Preview STIX
Cold River, a sophisticated threat actor linked to the Kremlin, has been engaging in malicious cyber activities for several years. The group, also known as Star Blizzard, Callisto, and UNC4057, is attributed to Center 18 of the FSB, one of Russia's security services sponsoring global cyber espionage. The group's activity, despite law enforcement actions, has remained fairly consistent over time, according to Leonard from Google's Threat Analysis Group (TAG). Cold River's tactics have evolved beyond phishing, with the group now deploying data-stealing malware. Since November 2022, they have been delivering malware-laden PDF documents to their targets. In January, Reuters reported that Cold River targeted three nuclear research laboratories in the United States. This was not an isolated incident; the group has been involved in several other attacks. In fact, following the Russian invasion of Ukraine, Google's TAG reported that Cold River was targeting U.S.-based NGOs, think tanks, military entities in a Balkan country, and a Ukraine-based defense contractor. After discovering these campaigns, Google added all identified websites, domains, and files related to Cold River to its Safe Browsing service. Cold River has developed and used its first publicly known custom malware, dubbed "SPICA". If a target responds that they cannot read a malicious document sent by the hackers, a link to a "decryption" utility is provided, which actually serves as a backdoor for the malware. Despite being used in very limited, targeted attacks, SPICA is believed to be under active development and used in ongoing attacks. While Russia's foreign ministry has dismissed reports on Cold River as anti-Russian propaganda, the continued activity and evolution of this threat actor underscore its potential for disruption and damage.
Description last updated: 2024-05-05T01:21:06.007Z
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Cold River Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
8 months ago
Google warns against new malware campaign spreading through PDFs | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
8 months ago
Prolific Russian hacking unit using custom backdoor for the first time
DARKReading
2 years ago
5 Critical Components of Effective ICS/OT Security
CERT-EU
2 years ago
Russian Hackers Almost Took The US Electrical Grid Down | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker - National Cyber Security
CERT-EU
9 months ago
Russia's FSB Hacking UK Politicians NCSC | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
9 months ago
Britain, US sanction Russian hackers over years-long FSB cyberespionage campaign | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
9 months ago
USA & Britain Accuse Russia Of Hacking
CERT-EU
9 months ago
UK government takes steps to thwart Russia's FSB hackers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting