Cybersecurity experts correlated the activity to Cold River based on digital fingerprints already tied to the group’s earlier activity, dating back to 2016.
Hackers Created Login Pages to Lure Nuclear Scientists
Cold River hackers targeted Brookhaven (BNL), Argonne (ANL), and the Lawrence Livermore National Laboratories (LLNL) between August and September, according to the investigation. This period coincides with Russia’s threats to use nuclear weapons and when United Nations forces entered Russian-controlled Ukrainian territory to assess the possibility of a radiation disaster amid clashes. As such, Cold River reportedly upped its hacking campaign against Ukrainian allies following Russia’s February 2022 invasion and subsequent barrage of cyberattacks. Cold River hackers attempted to lure nuclear scientists into a trap via fraudulent login pages, the report said. They did this by first sending out phishing emails to nuclear scientists. If successful, this tactic could award them the scientists’ passwords. In 2018, the email account of then-advisor to former South Korean President Moon Jae-in was hacked, according to the nation’s parliamentary intelligence committee. This was tied to the South Korean Atomic Energy Research Institute hack orchestrated by the North Korean hacking group Kimsuky, reported in June 2021. In October 2022, the Iranian “hacktivist” group Black Reward released several documents containing information about Iran’s nuclear activities. Once again, the initial compromise vector was an email system. Email phishing campaigns are a simple but highly effective way to trick someone into entering their credentials on a crafted website. These emails can also contain attachments like RARs or ZIPs, which, when opened and the files within them executed, can infect a system with various malware such as infostealers and RATs (random access trojans) that can be operated through botnets. Last month, NordVPN research said the data of 4.9 million people was being sold on “bot markets.” This data included tens of millions of logins.
‘One of the Most Important Hacking Groups’
The report said that, so far, none of the nuclear research institutes replied to questions posed by journalists. Also, neither Russia’s Federal Security Service (FSB) nor Russia’s embassy in Washington commented. The media were also unable to wrench any comments from the U.S. National Security Agency (NSA), the UK’s Global Communications Headquarters (GCHQ), or the UK Foreign Office. There is also no information about whether any of these intrusions were successful or why exactly the nuclear labs were targeted. According to a February 2022 writeup by blockchain analysis firm Chainalysis, Russian cybercriminals are responsible for a significant share of global cybercrime. “This is one of the most important hacking groups you’ve never heard of,” Adam Meyers, senior vice president of intelligence at U.S. cybersecurity firm Crowdstrike, said about Cold River. Meyers added that Cold River is directly involved in “supporting Kremlin information operations.” “Cold River, also known as Callisto, has for years conducted hacking campaigns against Western European targets,” cybersecurity expert James Pearson, affiliated with Reuters, Tweeted on Friday. Pearson also posted a photograph of what he says is a Cold River member on his Twitter feed. Cold River successfully leaked confidential emails belonging to the UK secret service MI6’s former head in May 2022. The hacking group was also found targeting the UK’s foreign ministry as early as 2016. Whether you are a casual internet user or run a small business, we recommend you stay cyber-secure in an era of sophisticated, wide-ranging cyber-attacks. Consult our guide on keeping your small business safe and pick up one of our top VPN picks for 2023 to massively improve your cybersecurity stance this year.