A Russian government-linked cyber espionage and influence operation known to target entities around the world has added custom backdoor malware to its arsenal, researchers said Thursday, demonstrating the continued evolution of one of Moscow’s most prolific cyber groups.
Researchers with Google’s Threat Analysis Group said in a blog post Thursday that the group, which it tracks as “Cold River,” has been using its first publicly known custom malware, dubbed “SPICA,” in campaigns as early as September of last year. SPICA allows attackers to execute commands on targeted systems, upload and download files and gather system and file information, among other capabilities, the researchers said.
The tool is “still in very limited, targeted use, and only used against a very small number of targets,” the Google researchers told CyberScoop through a spokesperson.
Cold River is a sophisticated hacking group linked to the Kremlin with a history of carrying out operations aligned with Russian interests. A month after the Russian invasion of Ukraine, for example, Google’s TAG reported that Cold River was targeting “several” U.S.-based NGOs and think tanks, military entities in a Balkan country and a Ukraine-based defense contractor.
That set of activities also included campaigns against the military of “multiple Eastern European countries, as well as a NATO Centre of Excellence,” which, at the time, represented a widening of the group’s typical targeting profile.
The group is known for credential phishing campaigns against NGOs, former military and intelligence officers and NATO governments. A December 2023 indictment from the U.S. Department of Justice accused two people from the group, one of whom was an officer in Russia’s Federal Security Service (FSB), of hacking networks in the U.S., the U.K., NATO countries and Ukraine on behalf of the Russian government.
The same month, an advisory from Microsoft warned that the group was continuing to improve its evasive techniques in pursuit of its espionage mission.
In 2022, the group targeted a series of U.S. nuclear research laboratories, according to Reuters, and was also behind a hack-and-leak operation targeting high-profile Brexit supporters in the U.K., Reuters also reported.
Cold River is just one name for the group; others include “Callisto,” “Star Blizzard” and “UNC4057.”