COLDRIVER

Threat Actor updated 23 days ago (2024-11-29T13:53:45.797Z)
Download STIX
Preview STIX
Coldriver, also known as Star Blizzard, Callisto, and Seaborgium, is a Russia-based cyber-espionage group believed to be backed by the Federal Security Service (FSB). This threat actor has been active since at least 2015, targeting government officials, military personnel, journalists, think tanks, and non-profit organizations such as the Free Russia Foundation. Their activities have focused on undermining democratic processes in Western nations, including the US and UK, with investigations linking them to various data breaches and cyber-espionage campaigns. Google's Threat Analysis Group (TAG) has warned that Coldriver uses a custom backdoor for their operations, highlighting the sophistication of their attacks. The group has also been linked to the River of Phish campaign, with attribution confirmed through investigations by Citizen Lab, Microsoft Security Threat Intelligence Center (MSTIC), Proofpoint, and PwC among others. Additionally, it has been observed that other cyber-espionage groups distinct from Coldriver have participated in these campaigns, indicating a complex and multifaceted threat landscape. In response to the threats posed by Coldriver, both Google and Microsoft have taken actions to mitigate their impact. Microsoft filed a civil action to seize 66 internet domains used by the group, while the Justice Department unsealed a warrant to seize 41 domains linked to the group for computer fraud in the United States. These measures underscore the seriousness of the threat posed by Coldriver and the ongoing efforts by cybersecurity entities to counteract their malicious activities.
Description last updated: 2024-10-17T12:23:26.474Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Seaborgium is a possible alias for COLDRIVER. Seaborgium, also known by various names such as Star Blizzard, Callisto Group, COLDRIVER, and TAG-53, is a threat actor believed to be linked to Russia's Federal Security Service (FSB). The group has been active since at least 2015, targeting government officials, military personnel, journalists, an
7
Callisto is a possible alias for COLDRIVER. Callisto, also known as Star Blizzard, COLDRIVER, TAG-53, and BlueCharlie, is a threat actor group likely based in Russia that has been linked to malicious cyber activities. The group is notorious for its sophisticated spear-phishing attacks targeting organizations and individuals in the UK and othe
6
Star Blizzard is a possible alias for COLDRIVER. Star Blizzard, a threat actor group with ties to Russia's FSB, has been conducting sophisticated spear-phishing campaigns predominantly targeting Western think tanks, government officials, defense contractors, journalists, and nongovernmental organizations (NGOs). The group uses spear-phishing techn
5
Callisto Group is a possible alias for COLDRIVER. The Callisto Group, also known as 'Star Blizzard', 'SEABORGIUM', and 'COLDRIVER', is a threat actor linked to Russia's Federal Security Service (FSB), Center 18. This group has been involved in sophisticated spear-phishing campaigns aimed at unauthorized access and information theft from protected c
5
Bluecharlie is a possible alias for COLDRIVER. BlueCharlie, also known as TAG-53, Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (formerly SEABORGIUM), and TA446, is a threat actor that has been linked to Russia and has reportedly been active since 2019. The group has been involved in various malicious activities including cybere
5
TA446 is a possible alias for COLDRIVER. TA446, also known as the Callisto APT group, Seaborgium, Star Blizzard, ColdRiver, TAG-53, and BlueCharlie, is a significant threat actor that has been active since at least 2015. The group has persistently targeted government officials, military personnel, journalists, and think tanks, focusing on
3
Calisto is a possible alias for COLDRIVER. Calisto, also known as BlueCharlie, Blue Callisto, TAG-53, COLDRIVER, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a threat actor that has been active since 2019. This group targets a wide range of sectors and is particularly focused on individuals and organizations involved in intern
2
Gossamer Bear is a possible alias for COLDRIVER. Gossamer Bear, also known as Callisto, Blue Callisto, BlueCharlie (or TAG-53), Calisto, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a significant threat actor that has been active since 2019. The group primarily focuses on credential harvesting and conducts hack-and-leak campaigns ta
2
Unc4057 is a possible alias for COLDRIVER. UNC4057, also known as ColdRiver, Star Blizzard, Blue Charlie, and Callisto, is a Russian-backed advanced persistent threat (APT) group that has been active since 2019. This group, sponsored by the Federal Security Service (FSB), has been involved in various malicious activities on behalf of the Rus
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Blizzard
Phishing
Apt
Implant
Domains
Ukraine
Microsoft
State Sponso...
Decoy
Google
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Spica Malware is associated with COLDRIVER. Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in higUnspecified
5
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The threatActor Callisto Apt Group is associated with COLDRIVER. Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability Star Blizzard/seaborgium is associated with COLDRIVER. Unspecified
2
Source Document References
Information about the COLDRIVER Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Flashpoint
2 months ago
Securityaffairs
3 months ago
InfoSecurity-magazine
3 months ago
Checkpoint
3 months ago
InfoSecurity-magazine
4 months ago
BankInfoSecurity
6 months ago
BankInfoSecurity
8 months ago
CERT-EU
10 months ago
Securityaffairs
10 months ago
Securityaffairs
10 months ago
DARKReading
10 months ago
Securityaffairs
10 months ago
Securityaffairs
a year ago
Securityaffairs
a year ago
Malwarebytes
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
InfoSecurity-magazine
a year ago