Google researchers say they have evidence that a notorious Russian-linked hacking group — tracked as “Cold River” — is evolving its tactics beyond phishing to target victims with data-stealing malware.
Cold River, also known as “Callisto Group” and “Star Blizzard,” conducts long-running espionage campaigns against NATO countries, particularly the United States and the United Kingdom.
Researchers believe the group’s activities, which typically target high-profile individuals and organizations involved in international affairs and defense, suggest close ties to the Russian state. U.S. prosecutors in December indicted two Russian nationals linked to the group.
Google’s Threat Analysis Group (TAG) said in new research this week that it has observed Cold River ramping up its activity in recent months and using new tactics capable of causing more disruption to its victims, predominantly targets in Ukraine and its NATO allies, academic institutions and non-government organizations.
These latest findings come soon after Microsoft researchers reported that the Russia-aligned hacking group had improved its ability to evade detection.
In research shared with TechCrunch ahead of its publication on Thursday, TAG researchers say that Cold River has continued to shift beyond its usual tactic of phishing for credentials to delivering malware via campaigns using PDF documents as lures.
These PDF documents, which TAG said Cold River has delivered to targets since November 2022, masquerade as an opinion-editorial piece or another type of article that the spoofed account is looking to solicit feedback on.
When the victim opens the benign PDF, the text appears as if it is encrypted. If the target responds that they cannot read the document, the hacker will send a link to a “decryption” utility, which Google researchers say is a custom backdoor tracked as “SPICA.” This backdoor, which Google says is the first custom malware to be developed and used by Cold River, gives the attackers persistent access to the victim’s machine to execute commands, steal browser cookies, and exfiltrate documents.
Billy Leonard, a security engineer at TAG, told TechCrunch that Google does not have visibility into the number of victims who were successfully compromised with SPICA, but said the company believes that SPICA was only used in "very limited, targeted attacks.” Leonard added that the malware is likely still under active development and being used in ongoing attacks and that Cold River activity "has remained fairly consistent over the past several years," despite law enforcement action.
Google says that on discovery of the Cold River malware campaign, the technology giant added all of the identified websites, domains, and files to its Safe Browsing service to block the campaign from further targeting Google users.
Google researchers previously linked the Cold River group to a hack-and-leak operation that saw a trove of emails and documents stolen and leaked from high-level Brexit proponents, including Sir Richard Dearlove, the former head of the U.K. foreign intelligence service MI6.