Full Report
Since the start of the year, the Russian state-backed ColdRiver hacking group has been using new LostKeys malware to steal files in espionage attacks targeting Western governments, journalists, think tanks, and non-governmental organizations. [...]
Analysis Summary
# Threat Actor: ColdRiver (associated with LostKeys)
## Attribution & Identity
Associated with Russian state interests.
**Known Aliases/Associated Groups:** Star Blizzard, Callisto Group, Seaborgium.
**Attribution Details:** The U.S. State Department sanctioned two ColdRiver operators, one identified as an FSB officer, in December 2023 for global hacking campaigns coordinated by the Russian government.
## Activity Summary
Google linked the threat actor to the deployment of the new **LostKeys** data theft malware during recent espionage campaigns. ColdRiver has been active since at least 2017, focusing on espionage. In December 2023, Five Eyes agencies warned of their spear-phishing attacks targeting defense, governmental organizations, NGOs, and politicians, particularly following the Russian invasion of Ukraine. Their targeting expanded to defense-industrial targets and U.S. Department of Energy facilities. In 2022, Microsoft disrupted a separate operation where the group used compromised Microsoft accounts to monitor organizations and individuals in NATO countries.
## Tactics, Techniques & Procedures
- Social engineering (used extensively to research and lure targets).
- Open-Source Intelligence (OSINT) gathering.
- Spear-phishing attacks.
- Exploiting Microsoft accounts to harvest emails and monitor activity.
- Deployment of the **LostKeys** data theft malware.
## Targeting
- **Sectors:** Defense, Governmental organizations, NGOs, Politicians, Defense-industrial targets, U.S. Department of Energy facilities.
- **Geography:** NATO countries (mentioned in reference to the 2022 monitoring operation).
- **Victims:** Organizations and high-profile individuals in NATO countries.
## Tools & Infrastructure
- **Malware families used:** LostKeys (new data theft malware).
- **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the provided context, beyond the use of compromised Microsoft accounts in past operations.
## Implications
ColdRiver remains an active and significant espionage threat aligned with Russian objectives, with recent activity involving the sophisticated LostKeys malware. Their focus on defense and governmental sectors, especially following geopolitical events like the Ukraine invasion, indicates a high-value intelligence collection mission. The ongoing sanctions and public attribution by US/Five Eyes agencies suggest continued international focus on disrupting this actor.
## Mitigations
- Increased vigilance against spear-phishing campaigns originating from actors researching targets via OSINT.
- Enhanced monitoring and security around Microsoft accounts used by key personnel and organizations.
- Defenses specific to data theft malware like LostKeys.
- Monitoring for activity targeting defense and energy sectors.