By: Ayisha Surani
Edited By: Aaron Brantly, Brooke Spens, Riley Phillips
Abstract
Russian malware actor ColdRiver poses a significant threat to Western government officials, humanitarian organizations, and NGOs critical of the Russian government by undermining humanitarian and strategic organizations.[1] Due to its support from the Russian government, ColdRiver has proved to be a heightened threat towards NATO countries and its allies given their strong dissent of Russia’s current regime.[2] Since 2017, ColdRiver has conducted cyberattacks, with its operators linked to Russia’s Federal Security Service (FSB)—ColdRiver has used advanced persistent threats (APTs) to steal sensitive information and disrupt operations opposing Russia.[3] The purpose of ColdRiver is to prevent NATO countries from pushing negative Russian narratives, to collect intelligence on foreign forces, and to target institutions enforcing sanctions against Russia. This blog will define ColdRiver, its methods, impacts on humanitarian and strategic organizations, and the international response to its ongoing threat will be examined.
Introduction
Since 2016 ColdRiver, a Russian based malware, has targeted Western government officials and NGOs critical of the Russian Federal Security Service (FSB) in documented cyberattacks.[4] The escalation of ColdRiver appearances, however, did not occur until the invasion of Ukraine in 2022.[5] CrowdStrike’s Vice President of Intelligence, Adam Myers, claimed that the hackers who use ColdRiver have links to involvements “directly supporting Kremlin information operations.”[6] CrowdStrike is an anti-virus security company that is used by companies such as Microsoft and Trustwave.[7] ColdRiver operations take place internationally targeting logistical and military equipment and companies. Neither the Calisto Group or the FSB have officially announced their ties to each other, but the United Kingdom, United States, Australia, Canada, and New Zealand have identified and association between ColdRiver and the FSB.[8]
Sekoia, a France-based security service, identifies victims of ColdRiver including but are not limited to Ukraine (Emcompass), United States (DTFruelle, Global Ordnance, Blue Sky Network), Poland(UMO), and Estonia (BotGuard). Government logistic companies, satellites, and military equipment were prime targets of ColdRiver operations.[9] Sekoia identifies confidence in identifying ColdRiver attacks based on a high, medium, and low scale with all attacks mentioned ranging from medium to high confidence.[10] High confidence indicates strong trustworthiness and high evidence of attacks sourced to coming from the Callisto group.[11] These attacks, particularly those targeting organizations involved in providing humanitarian aid and counterattacking ColdRiver’s cybersecurity attacks, underscore how Russia’s cyber operations such as ones perpetrated by the Callisto group weaponize the use of malware. Sekoia’s findings emphasize the precision of ColdRiver attacks that exploit vulnerabilities in organizations critical to both Russian opposition adversaries’ security and humanitarian operations. ColdRiver goes by multiple names including Calisto/Callisto, Star Blizzard, Dancing Salome, and SEABORGIUM.[12] Hackers who deploy ColdRiver for malicious purposes are referred to as the Callisto group. The Callisto group is directly linked to Russian intelligence agents within Russia’s FSB and is known for its targeting of military and research organizations.[13] Aside from these targets, “additional victimology includes intelligence officials, experts in Russian matters, and Russian citizens abroad.”[14] These activities underscore the Callisto group’s role as an entity serving Russia’s interests to target key geopolitical opponents to Russia’s cyberattack objectives. The implications for human rights are profound, as they undermine national security of nations in opposition to Russia’s use of malware and access to critical resources. Understanding and highlighting these attacks allows government officials to know how to respond to future threats by Russian hackers, enhancing global security, and how to protect people at risk such as those advocating against Russian human rights violations in countries such as Ukraine.
How It Works
APTs (advanced persistent threat) are a form of cyberattack aimed at gaining unauthorized access to a network and remaining undetected by the victim for an extended duration, with the motive of stealing information from that network and are often state sponsored actors or condoned.[15] The ColdRiver APT uses spear-phishing campaigns to deceive victims into exposing delicate information such as forwarding funds to hackers.[16] Once they gain trust of a victim, they send an email with a PDF file requesting the victim review it. The PDF is unopenable to coax the victim into responding saying that they can’t access the PDF. The attacker sends a decryption link after this, claiming that the link will allow the victim to access the PDF. The decryption link is a proprietary backdoor called SPICA. This method of attack affects non-governmental organizations and activists in clear discontent of Russia’s use of malware, leaving them exposed to data breaches and exploitation.[17]
SPICA is responsible in this process in pretending to open a normal PDF file to diminish suspicion from the victim.[18] SPICA simultaneously establishes persistence by starting a control-to-command (C2) loop which is effectively setting itself up to be hardwired into the computer to remain in control for a long period of time without the victim knowing. SPICA’s abilities once infected into the victim’s computer are “stealing cookies from major browsers like Chrome and Firefox, downloading and uploading files, and running arbitrary shell commands.” Backdoor use speculation has been present since November 2022.[19] The backdoor implements persistence with a scheduled task named CalendarChecker using a computer program called PowerShell.[20]
Google’s Threat Analysis Group (TAG) has suggested that there are “multiple versions of the SPICA backdoor” due to the fact that there have been limited findings of SPICA since 2023 and there has only been one successful retrieval by TAG of a PDF with SPICA clearly implemented.[21] Once successfully infected, the malware group has full control over sensitive files in the infected system, access to private information from cookies of major browsers, and power to execute basic shell commands.
Figure 1: Phishing Domains used by ColdRiver Malware [22]
cache-dns[.]com
docs-shared[.]com
documents-forwarding[.]com
documents-preview[.]com
protection-link[.]online
webresources[.]live
Figure 1 showcases the phishing domains that have been used by ColdRiver malware. The domains listed are part of the infrastructure leveraged by attackers to trick users into downloading or executing malicious software.[23]These domains play a critical role in ColdRiver’s delivery mechanism.
Overview of Impacts
Since its creation, ColdRiver has conducted multiple long-term attacks against countries in direct discontent of Russia’s use of malware. Some prevalent and effective attacks demonstrate the approach ColdRiver uses to advance Russia’s agenda.[24] For example, a UK attack occurred in 2018, known as the 2018 hack of Institute for Statecraft. The Institute for Statecraft is a UK-based charity that focuses on countering “disinformation overseas by bringing groups of experts to analyze and discuss the problem posed by Russian disinformation.”[25] The UK government funds Statecraft. Following the attack, the UK Parliament accused the Callisto group of leaking information in Institute for Statecraft documents to multiple Kremlin news channels. The Institute for Statecraft’s Twitter account posted accused systematic bias against the Russian government, which prompted the hack. The hackers first exposed the documents on Scribd and Cyber Guerilla, with the documents appearing to reveal that the institute took taxpayers’ money and used it to publish anti-Labour propaganda through smear campaigns.[26] The UK has had multiple encounters with the Callisto group— ColdRiver allegedly disrupted the 2019 election by leaking Liam Fox’s stolen information, which the opposition leader Jeremy Corbyn subsequently cited during the United Kingdom’s 2019 election.[27] However, the Russian government denied this. This case represents an example of alleged Russian interference within a foreign government, in part facilitated through ColdRiver malware.
Ilya Ponomarev is a former politician in the Russian State Duma who is of both Russian and Ukranian descent and been targeted by ColdRiver. He had told VOA News that he had been emailing back and forth with who he thought was Michael McFaul, former United States Ambassador to Russia.[28] “The letter contained a reference to a report on Ukraine that McFaul supposedly intended to deliver in China, and also a request to check whether he had mixed something up,” Ponomarev said to VOA News, which had been in line with current events due to the fact McFaul delivered a lecture to Chinese students that April, which falls in line with ColdRiver’s most frequent attacks between April and June 2024.[29] However, ColdRiver and Coldwastrel, another malware group closely linked to the Russian regime, were said to have carried out the attack on Ponomarev.[30]
John Herbst, retired United States Ambassador to Ukraine and journalist, had been critical of Russia’s military tactics on Ukraine since 2014. In an interview to VOA News, “Herbst said Russian hackers target people who take a public position aimed at countering Moscow’s aggressive policy.”[31] On January 6, Reuters claimed ColdRiver’s attacks on nuclear research laboratories in the United States.[32] “The digital blitz against the U.S. labs occurred as U.N. experts entered Russian-controlled Ukranian territory to inspect Europe’s biggest atomic power plant and assess the risk of what both sides said could be a devastating radiation disaster amid heavy shelling nearby.” [20] The cases of the Institute of Statecraft, Ilya Ponomarev, and John Herbst demonstrate the type of attacks to humanitarian rights, strategic organizations and those opposed to the Russian government’s malware strategies. These events indicate ColdRiver’s influence on its targets by intimidating and affecting individuals and organizations challenging Russia’s political and military actions.
Responses
In response to ColdRiver malware’s attacks, countries affected reacted through policymaking and enforcement. The United Kingdom implemented sanctions towards FSB Officer Ruslan Peretyatko and Callisto Group-Member Andrew Korinets by accusing them in their involvement in ColdRiver malware in their Cyber Sanctions list.[33] The Cyber Sanctions labels people involved with ColdRiver as direct threats to the UK government and calls for the freezing of stated hackers‘ funds from banks and institutions based in the UK.[34] Freezing funds prevents actors on the list from making financial transactions with citizens of the UK and restricts the access of funds that come from services within the country. By imposing sanctions, the House of Commons has attempted to expose and disrupt cyber operations.
The United States government also charged the same two actors following the House of Commons’ decision.[35] The United States Federal Bureau of Investigation accused ColdRiver in a sealed affidavit of international promotional money laundering and conspiracy to commit the same, as “the information targeted by the FSB and illegally accessed during the criminal conspiracy included sensitive information related to the identity of United States employees, defense, foreign affairs, and security policies, as well as nuclear energy related technology, research, and development, all of which is particularly valuable to the Russian government’s efforts to engage in malign foreign influence operations within the United States.”[36]
On October 3rd, United States’ Justice Department announced they had reseized 41 internet domains originally seized by the Callisto group.[37] Microsoft’s Digital Crimes Unit (DCU) sent out a similar announcement on the same day, declaring the initiation of a lawsuit in collaboration with NGO Information Sharing and Analysis Center (NGO-ISAC).[38] These actions by the British and U.S. governments indicate that there are continued efforts to counter Russian cyber threats by the malware group, which means that while future attacks are probable, there are surveillance teams analyzing past attacks to find ways to counter future attacks.
Conclusion
ColdRiver malware, operated by the Callisto Group, represents a sophisticated cyber threat directly linked to the Russian FSB, despite the Russian FSB’s persistent denial of support for the previous cyber-espionage programs and ColdRiver’s violations of humanitarian law.[39] The use of this malware has been proven to undermine national security, steal sensitive information, and attempt to disrupt those critical of the Kremlin through its advanced phishing techniques and use of the proprietary backdoor SPICA with carefully selected targets for long periods of time.
The response, primarily by NATO countries, highlights the international community’s commitment to countering such threats. However, the ongoing evolution of ColdRiver’s operation indicates the persistent challenges posed through the pervasive use of malware by foreign agents.
[1] John Scott-Railton et al., “Rivers of Phish,” August 4, 2024, https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/.
[2] Michelle Cantos and Jamie Collier, “Phishing for Gold: Cyber Threats Facing the 2024 Paris Olympics Executive Summary,” June 5, 2024, https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics.
[3] Office of Public Affairs, “Justice Department Disrupts Russian Intelligence Spear-Phishing Efforts,” October 3, 2024, https://www.justice.gov/opa/pr/justice-department-disrupts-russian-intelligence-spear-phishing-efforts.
[4] Felix Aime, Maxime A., and Sekoia TDR, “Calisto Show Interests into Entities Involved in Ukraine War Support,” December 5, 2020, https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support/.
[5] Ibid.
[6] Ibid.
[7] TheirStack, “Companies That Use CrowdStrike,” n.d.
[8] Bill Toulas, “UK and Allies Expose Russian FSB Hacking Group, Sanction Members,” December 7, 2023, https://www.bleepingcomputer.com/news/security/uk-and-allies-expose-russian-fsb-hacking-group-sanction-members/.
[9] Aime, A., and TDR, “Calisto Show Interests into Entities Involved in Ukraine War Support.”
[10] Ibid.
[11] Center for Internet Security, “Words of Estimative Probability, Analytic Confidences, and Structured Analytic Techniques,” n.d., https://www.cisecurity.org/ms-isac/services/words-of-estimative-probability-analytic-confidences-and-structured-analytic-techniques.
[12] Office of Public Affairs, “Two Russian Nationals Working with Russia’s Federal Security Service Charged with Global Computer Intrusion Campaign,” December 7, 2024, https://www.justice.gov/opa/pr/two-russian-nationals-working-russias-federal-security-service-charged-global-computer.
[13] Ibid.
[14] Aime, A., and TDR, “Calisto Show Interests into Entities Involved in Ukraine War Support.”
[15] Hussin Jose Hejase, Hasan Kazan, and Imda Moulkadem, “ADVANCED PERSISTENT THREATS (APT): AN AWARENESS REVIEW,” Journal of Economics and Economic Education Research, December 1, 2020, doi:10.13140/rg.2.2.31300.65927.
[16] Matthew Kosinski, “What Is Spear Phishing?,” June 6, 2024, https://www.ibm.com/topics/spear-phishing.
[17] Pierluigi Paganini, “GOOGLE TAG WARNS THAT RUSSIAN COLDRIVER APT IS USING A CUSTOM BACKDOOR,” January 18, 2024, https://securityaffairs.com/157705/apt/google-warns-ColdRiver-malware.html.
[18] Tara Seals, “Google: Russia’s ColdRiver APT Unleashes Custom ‘Spica’ Malware,” January 18, 2024, https://www.darkreading.com/ics-ot-security/russia-ColdRiver-apt-unleashes-custom-spica-malware.
[19] Dennis Fisher, “Russian ColdRiver Hackers Deploy Malware to Target Western Officials,” n.d., https://duo.com/decipher/russian-ColdRiver-group-uses-new-backdoor-to-target-governments.
[20] Wesley Shields, “Russian Threat Group COLDRIVER Expands Its Targeting of Western Officials to Include the Use of Malware,” January 18, 2024, https://blog.google/threat-analysis-group/google-tag-ColdRiver-russian-phishing-malware/.
[21] Ibid.
[22] Billy Leonard, “Update on Cyber Activity in Eastern Europe,” May 3, 2022, https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/.
[23] Billy Leonard, “Update on Cyber Activity in Eastern Europe,” May 3, 2022, https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/.
[24] James Pearson and Christopher Bing, “Exclusive: Russian Hackers Targeted U.S. Nuclear Scientists,” n.d., https://www.reuters.com/world/europe/russian-hackers-targeted-us-nuclear-scientists-2023-01-06/.
[25] Emily Thornberry, “Institute for Statecraft: Integrity Initiative,” December 12, 2018, https://hansard.parliament.uk/commons/2018-12-12/debates/298F9A3C-307A-40ED-9CB1-3B2A98F14165/InstituteForStatecraftIntegrityInitiative.
[26] Jim Edwards, “What It’s like When the Russians Hack Your Company and Turn You into a Fake News Conspiracy Story on State TV,” Business Insider, n.d., https://www.businessinsider.com/russia-hack-on-institute-for-statecraft-tactics-in-west-2019-12.
[27] Alexander Martin, “UK Names FSB Unit behind Hack-and-Leak Campaigns, Summons Russian Ambassador,” The Record, December 7, 2023, https://therecord.media/uk-names-fsb-unit-behind-hack-and-leak-operation.
[28] Alexey Gorbachev, “Russian Hacker Attacks Target Former US Ambassadors, Reveal Prior Penetration,” August 28, 2024, https://www.voanews.com/a/russian-hacker-attacks-target-former-us-ambassadors-reveal-prior-penetration/7762937.html.
[29] Access Nowʼs Digital Security Helpline team, “SPEAR-PHISHING CASES FROM EASTERN EUROPE A TECHNICAL BRIEF,” AccessNow, August 1, 2024, https://www.accessnow.org/wp-content/uploads/2024/08/Spearphishing-cases-in-Eastern-Europe-2022-2024-technical-brief.pdf.
[30] Gorbachev, “Russian Hacker Attacks Target Former US Ambassadors, Reveal Prior Penetration.”
[31] Ibid.
[32] Pearson and Bing, “Exclusive: Russian Hackers Targeted U.S. Nuclear Scientists.”
[33] Office of Financial Sanctions Implementation HM Treasury, “Financial Sanctions Notice,” July 12, 2024, https://assets.publishing.service.gov.uk/media/657194c5809bc300133081f5/Notice_Cyber_071223.pdf.
[34] Ibid.
[35] Jonathan Greig, “US Charges Two Russians in Hacks of Government Accounts,” December 7, 2023, https://therecord.media/us-indictment-fsb-alleged-hacking-government-officials.
[36] Federal Bureau of Investigation, “APPLICATION FOR A WARRANT TO SEIZE PROPERTY SUBJECT TO FORFEITURE” (United States District Court, n.d.), https://storage.courtlistener.com/recap/gov.uscourts.cand.436552/gov.uscourts.cand.436552.7.0.pdf.
[37] Affairs, “Justice Department Disrupts Russian Intelligence Spear-Phishing Efforts.”
[38] Steven Masada, “Protecting Democratic Institutions from Cyber Threats,” October 3, 2024, https://blogs.microsoft.com/on-the-issues/2024/10/03/protecting-democratic-institutions-from-cyber-threats/.
[39] The Moscow Times, “FSB-Linked Phishing Campaign Targets Russian Activists, Independent Media,” The Moscow Times, August 14, 2024, https://www.themoscowtimes.com/2024/08/14/fsb-linked-phishing-campaign-targets-russian-activists-independent-media-a86020.