The Russian threat group ColdRiver has evolved from phishing for credentials to delivering backdoor malware campaigns that use PDFs as lure documents to target nongovernmental organizations (NGOs), former intelligence and military officers, NATO governments, and critical infrastructure.
In a Jan. 18 blog post, the Google Threat Analysis Group (TAG) said there may be multiple versions of the backdoor — known as SPICA — each with a different embedded decoy document to match the lure document sent to targets.
Security researchers were concerned about the development because ColdRiver — also known as UNC4057, StarBlizzard, and Callisto — is a well-known hacking group sponsored by the Russian intelligence service, the Federal Security Service (FSB), that has been known to carry out various nefarious activities on behalf of the Russian government.
For example, Reuters reported in January 2023 that ColdRiver targeted three nuclear research laboratories in the United States.
ColdRiver was reportedly tied to attacks on Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore National Laboratories (LLNL), according to internet records that showed the hackers created fake login pages for each research facility and emailed nuclear scientists to try and get them to reveal their passwords.
ColdRiver/Star Blizzard (aka UNC4057), specializes in spear-phishing campaigns, using advanced tactics that include impersonation of known contacts customized to targets, and technical configurations and addresses configured to look legitimate to the recipient, explained Ken Dunham, cyber threat director at the Qualys Threat Research Unit.
Dunham said Star Blizzard has been operating since at least 2019, targeting academia, defense, government organizations, NGOs, think tanks and politicians. In 2022, Star Blizzard expanded operations to include defense-industrial targets, including the U.S. Department of Energy facilities.
Star Blizzard uses open-source intelligence to perform reconnaissance against targets to customize attacks for maximum effectiveness, commonly performed with a spear-phishing attack. Dunham said the most recent focus by Star Blizzard is not opportunistic or semi-targeted: it’s highly focused and strategic as an attack upon U.S. supervisory control and data acquisition (SCADA) systems and critical infrastructure.
“ColdRiver and SPICA are designed to establish a beachhead operation within targeted nuclear facility staff accounts and networks, with the probable means to then ‘land and expand,’” said Dunham, who was troubled by the specific targeting and focus: “especially during a time of global disruption in a U.S. election year and shift of global power.”
In terms of the specs on SPICA, the Google TAG researchers said SPICA is written in Rust, and uses JSON over websockets for command and control (C2). It supports a number of commands, including executing arbitrary shell commands, stealing cookies from Chrome, Firefox, Opera and Edge, uploading and downloading files, perusing the filesystem by listing the contents of it, and enumerating documents and exfiltrating them in an archive.
TAG observed SPICA being used as early as September 2023, but believes that ColdRiver’s use of the backdoor goes back to at least November 2022. While TAG has observed four different variants of the initial “encrypted” PDF lure, it has only successfully retrieved one single instance of SPICA. This sample, named “Proton-decrypter.exe”, used the C2 address 45.133.216[.]15:3000, and was likely active around August and September 2023. TAG said it has disrupted ColdRiver's campaign by adding all known domains and hashes to Safe Browsing blocklists.