During the months of August and September of 2022, Russian hackers’ group Cold River targeted three nuclear research laboratories in the United States. According to internet records reviewed by Reuters and five cybersecurity experts. The Brookhaven, Argonne, and Lawrence Livermore National Laboratories were under the radar of hackers.
These hackers created fake login pages. And sent emails to nuclear scientists in an attempt to obtain their passwords. There is not a known reason why the labs were targeted. Or whether any intrusions were successful at the moment. The US Department of Energy, as well as spokespeople for the Brookhaven and Lawrence Livermore National Laboratories, has however declined to comment on this matter.
Russian Hackers Groups Are Beginning to Target Ukraine Allies
Cold River has been known to ramp up its hacking campaigns against Ukraine’s allies following the invasion of Ukraine. According to the cybersecurity researchers and western government officials. The attacks on the US labs took place while United Nations experts were inspecting a Russian-controlled atomic power plant in Ukraine. Amid concerns over the risk of a radiation disaster.
Cold River first gained attention from intelligence professionals after targeting Britain’s foreign office in 2016. And has been linked to numerous high-profile hacking incidents. All in recent years, according to interviews with nine cybersecurity firms.
According to Reuters, they were able to trace email accounts. Cold River had used such accounts in their hacking operations. Between 2015 and 2020 to an IT worker in the Russian city of Syktyvkar.
Adam Meyers, Senior Vice President of Intelligence at cybersecurity firm CrowdStrike. Stated that Cold River is “one of the most important hacking groups you’ve never heard of”. And is “involved in directly supporting Kremlin information operations.”
Russia Refuses to Respond to Questions of the Hacking Attacks
Russia’s Federal Security Service and embassy in Washington did not respond to requests for comment on the matter. Western officials claim that Russia engages in widespread hacking and cyber espionage. For the purpose of gaining a competitive advantage. On the other side, Moscow always denies these allegations.
Five industry experts confirmed Cold River’s involvement in the attempted hacks on the nuclear labs. Based on shared digital fingerprints that have been previously linked to the group.
The US National Security Agency declined to comment on Cold River’s activities. Britain’s Global Communications Headquarters and foreign office also did not respond to requests for comment.
Cold River has been involved in several “hack and leak” operations. Through these, confidential communications were made public in Britain, Poland, and Latvia. As reported by cybersecurity experts and Eastern European security officials.
Gizchina News of the week
Russian Hackers, Cold River Leaked Emails of Britain’s M16 Spy Agency
In May, the group leaked emails belonging to the former head of Britain’s MI6 spy agency. According to French cybersecurity firm SEKOIA.IO. They also found out that, Cold Rivers had registered domain names that imitate three European NGOs investigating war crimes.
These hacking attempts occurred before and after the release of a report by a UN independent commission of enquiry. This report found that Russian forces were responsible for the majority of human rights violations. These were during the early weeks of the Ukraine war. It is unclear why Cold River targeted the NGOs.
The Commission for International Justice and Accountability (CIJA). A non-profit organization established by an experienced war crimes investigator. CIJA reported that they were the targets of multiple hacking attempts by Russia-supported hackers over the past eight years. But all those hacking attempts have been unsuccessful.
The International Center of Nonviolent Conflict and the Centre for Humanitarian Dialogue did not respond to requests for comment. The Russian embassy in Washington also did not respond to a request for comment regarding the attempted hack on CIJA.
Cold River (Russian Hackers) Now Uses New Tactics
Cold River has employed new tactics. These tactics include tricking individuals into entering their login information on fake websites in order to gain access to their computers. According to security researchers. The group has used various email accounts to register domain names, such as goo-link.online and online365-office.com.
These sites appear similar to legitimate services provided by companies like Google and Microsoft. Security analysts from Google, BAE, and Nisos have identified Cold River’s location. They have also found the identity of one of its members due to recent mistakes made by the group. This served as the strongest evidence which proves that Cold River originates from Russia.
A Bodybuilder from Russia is Suspected to be Working with Cold River
Andrey Korinets is a 35-year-old I.T worker. And bodybuilder from Syktyvkar, Russia. Reports claim that Andrey has links with the hacking group Cold River. They found the evidence through multiple personal email addresses used in setting up the group’s operations.
The usage of these accounts has left a digital trail leading back to Korinets’ online presence. This includes social media accounts and personal websites. Billy Leonard, a Security Engineer at Google’s Threat Analysis Group, stated that Korinets was part of Cold River. “Google has connected this individual to the Russian hacking group Cold River and their early operations,” Leonard said.
Vincas Ciziunas, a security researcher at Nisos, also linked Korinets’ email addresses to Cold River activity. Ciziunas discovered Russian language internet forums. Including an eZine, where Korinets had discussed hacking and shared the posts with Reuters. Ciziunas believes that Korinets is a “central figure” in the Syktyvkar hacking community.
Korinets admitted to owning the relevant email accounts but denied any knowledge of Cold River. He claimed that his only experience with hacking was with a computer crime. He committed this crime during a business dispute with a former customer. Due to this, the Russian court ordered him to pay a fine.
In addition to the statements and evidence provided by Google and Nisos. Reuters was able to independently confirm Andrey Korinets’ association with Cold River. This was through the use of cybersecurity research platforms Constella Intelligence and DomainTools.
These platforms, which assist in determining the owners of websites. Has revealed that Korinets’ email addresses registered a number of websites. Most of these websites were in use in Cold River’s hacking campaigns between 2015 and 2020. It is currently unknown if Korinets has participated in any hacking operations since 2020. They asked him to provide an explanation for the use of these email addresses. And why he did not respond to further inquiries, Korinets did not provide a response.