A Russian hacking team known as Cold River has registered domain names designed to impersonate at least three European non-governmental organizations that investigate war crimes, according to French cybersecurity firm SEKOIA.IO.
Cold River attacked three nuclear research laboratories in the United States
A Russian hacking group known as Cold River attacked three nuclear research laboratories in the United States last summer, according to Internet records reviewed by five U.S. cybersecurity experts.
When Russian President Vladimir Putin said Russia would be ready to use nuclear weapons to defend its territory, Cold River struck Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore National Laboratory (LLNL), according to online data.
Russian hackers create fake login pages for each institution and send emails to nuclear scientists trying to get them to reveal their passwords.
It is unclear why these labs were targeted, or whether any attempted intrusion was successful. A BNL representative declined to comment. LLNL did not respond to a request for comment. An ANL representative referred questions to the US Department of Energy, which declined to comment.
Russian hackers Cold River are intensifying their activities
Cold River has stepped up its hacking campaign against Kiev’s allies since the invasion of Ukraine, according to cybersecurity researchers and Western government officials.
The digital blitz against US labs came as UN experts entered Russian-controlled territory in Ukraine to inspect Europe’s largest nuclear power plant and assess the risk of what both sides say could be a devastating radiation disaster amid heavy shelling nearby.
Cold River, which first appeared on the radar of intelligence officials after the 2016 attack on the British Foreign Office, has been involved in dozens of other high-profile hacking incidents in recent years, according to interviews with nine cybersecurity firms.
Cold River supports the Kremlin’s information operations
“This is one of the most important hacking groups you’ve never heard of,” said Adam Meyers, senior vice president of intelligence at U.S. cybersecurity firm CrowdStrike. “They are involved in directly supporting the Kremlin’s information operations.”
Russia’s Federal Security Service (FSB), the domestic security agency that also conducts espionage campaigns in favor of Moscow, and the Russian Embassy in Washington did not respond to emailed requests for comment.
Russia is famous for hacking
Western officials say the Russian government is a world leader in hacking and uses cyberespionage to spy on foreign governments and industries to gain a competitive advantage. However, Moscow has consistently denied conducting hacking operations.
Five industry experts have confirmed Cold River’s involvement in attempted hacks at nuclear labs based on shared digital fingerprints that researchers have historically linked to the group.
The US National Security Agency declined to comment on Cold River’s activities. Britain’s Global Communications Headquarters (GCHQ), its equivalent, did not comment. The Ministry of Foreign Affairs declined to comment.
The results of hackers’ work are known
In May, Cold River hacked and leaked the emails of the former head of Britain’s MI6 spy agency. It was just one of several “hack and leak” operations last year by Russian-linked hackers in which sensitive messages were released in the UK, Poland and Latvia, according to cyber security experts and security officials in Eastern Europe.
In another recent espionage operation against critics of Moscow, Cold River registered domain names designed to impersonate at least three European non-governmental organizations investigating war crimes, according to French cybersecurity firm SEKOIA.IO.
The hacking attempts linked to non-governmental organizations took place immediately before and after the October 18 release of a report by an independent UN commission of inquiry, which found Russian forces responsible for the “vast majority” of human rights violations in the first weeks of the war in Ukraine, which Russia has called a special military operation.
Why did Cold River target NGOs?
In a blog post, SEKOIA.IO claims that based on its targeting of non-governmental organizations, Cold River is attempting to contribute to “the collection of Russian intelligence on emerging evidence related to war crimes and/or international justice proceedings “.
The Commission on International Justice and Accountability (CIJA), a nonprofit organization founded by a veteran war crimes investigator, said it had been unsuccessfully targeted by Russian-backed hackers for the past eight years.
Two other NGOs, the International Center for Nonviolent Conflict and the Center for Humanitarian Dialogue, did not respond to requests for comment.
The Russian Embassy in Washington did not respond to a request for comment on the CIJA hacking attempt.
Cold River used tactics such as tricking people into entering their usernames and passwords on fake websites to gain access to their computer systems, security researchers said.
To do this, Cold River used various email accounts to register domain names such as “goo-link.online” and “online365-office.com“, which at first glance appear to be legitimate services from companies such as Google and Microsoft. , security researchers said.
Deep ties with Russia
According to experts at Internet giant Google, British defense contractor BAE, Cold River has made several mistakes in recent years.
This allowed cyber security analysts to pinpoint the exact location and identity of one of its members, providing the clearest indication yet of the group’s Russian origins. US intelligence firm Nisos.
A person from a Russian hacker group
Several personal email addresses used to set up Cold River missions belong to Andriy Korints, a 35-year-old IT worker and bodybuilder from Syktyvkar, about 1,600 km northeast of Moscow.
The use of these accounts left a trail of digital evidence of various hacking activities in Korinets’ online life, including social media accounts and personal websites.
Billy Leonard, a security engineer with Google’s threat analysis group that investigates nation-state hacking, said Korynets was involved. “Google linked this individual to the Cold River Russian hacking group and its early operations,” he said.
Vintsas Siziunas, a security researcher at Nisos who also linked Korinets’ email addresses to Cold River’s activities, said the IT worker had historically been a “central figure” in Syktyvkar’s hacking community.
Tsyzyunas found a number of Russian-language Internet forums, including an e-zine where Korynets discussed hacking, and shared those posts.
In an interview with Reuters, Korynets confirmed that he owned the relevant email accounts, but denied any knowledge of Cold River. He said his only hacking experience came years ago, when a Russian court fined him for a computer crime committed during a business dispute with a former client.
Reuters was able to separately confirm Korinc’s ties to Cold River using data collected by cybersecurity research platforms Constella Intelligence and DomainTools, which help identify website owners: the data showed Korinc’s email addresses registered to numerous websites used in the Cold River hacking.