Cold River

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Cold River, a sophisticated threat actor linked to the Kremlin, has been engaging in malicious cyber activities for several years. The group, also known as Star Blizzard, Callisto, and UNC4057, is attributed to Center 18 of the FSB, one of Russia's security services sponsoring global cyber espionage. The group's activity, despite law enforcement actions, has remained fairly consistent over time, according to Leonard from Google's Threat Analysis Group (TAG). Cold River's tactics have evolved beyond phishing, with the group now deploying data-stealing malware. Since November 2022, they have been delivering malware-laden PDF documents to their targets. In January, Reuters reported that Cold River targeted three nuclear research laboratories in the United States. This was not an isolated incident; the group has been involved in several other attacks. In fact, following the Russian invasion of Ukraine, Google's TAG reported that Cold River was targeting U.S.-based NGOs, think tanks, military entities in a Balkan country, and a Ukraine-based defense contractor. After discovering these campaigns, Google added all identified websites, domains, and files related to Cold River to its Safe Browsing service. Cold River has developed and used its first publicly known custom malware, dubbed "SPICA". If a target responds that they cannot read a malicious document sent by the hackers, a link to a "decryption" utility is provided, which actually serves as a backdoor for the malware. Despite being used in very limited, targeted attacks, SPICA is believed to be under active development and used in ongoing attacks. While Russia's foreign ministry has dismissed reports on Cold River as anti-Russian propaganda, the continued activity and evolution of this threat actor underscore its potential for disruption and damage.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Spica
1
Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in hig
Star Blizzard
1
Star Blizzard, also known as Seaborgium or the Callisto Group, is a threat actor linked to Russia's intelligence service, the FSB. The group has been involved in sophisticated cyber-attacks worldwide, primarily using spear-phishing campaigns to steal account credentials and data. Microsoft, which tr
Callisto Group
1
The Callisto Group, a threat actor identified as part of the Russian Federal Security Service, has been exposed by the United States and the United Kingdom for its malicious cyber activities. This group, also known as Coldriver and formerly tracked by Microsoft under the moniker "Seaborgium," is com
Seaborgium
1
Seaborgium, also known as Star Blizzard, Callisto Group, COLDRIVER, and TAG-53, is a threat actor linked to suspected Russian threat activity groups. Open-source reporting has enabled Insikt Group to profile the infrastructure used by this group, revealing significant overlaps with other known malic
Callisto
1
Callisto, also known as Gossamer Bear, COLDRIVER, UNC4057, Star Blizzard, Blue Charlie, and SEABORGIUM, is a threat actor linked to the Russian state. This group, which has been tracked by various entities including Microsoft, Google's Threat Analysis Group (TAG), and Insikt Group, is known for its
Unc4057
1
UNC4057, also known as ColdRiver, Star Blizzard, Blue Charlie, and Callisto, is a Russian-backed advanced persistent threat (APT) group that has been active since 2019. This group, sponsored by the Federal Security Service (FSB), has been involved in various malicious activities on behalf of the Rus
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Uk
British
Russia
Google
Cybercrime
Backdoor
Blizzard
Phishing
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ProtonUnspecified
1
Proton is a malicious software, or malware, that has been found to exploit and damage computer systems. It can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Proton has the capability to steal personal information, disrupt operation
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
On Cold RiverUnspecified
1
None
Source Document References
Information about the Cold River Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
Google warns against new malware campaign spreading through PDFs | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Prolific Russian hacking unit using custom backdoor for the first time
DARKReading
a year ago
5 Critical Components of Effective ICS/OT Security
CERT-EU
a year ago
Russian Hackers Almost Took The US Electrical Grid Down | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker - National Cyber Security
CERT-EU
8 months ago
Russia's FSB Hacking UK Politicians NCSC | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
8 months ago
Britain, US sanction Russian hackers over years-long FSB cyberespionage campaign | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
8 months ago
USA & Britain Accuse Russia Of Hacking
CERT-EU
8 months ago
UK government takes steps to thwart Russia's FSB hackers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting