This content details the activities of the ColdRiver hacking group, a Russia-backed threat actor that uses new malware to conduct espionage against Western governments, NGOs, and other organizations. It covers their attack methods, targets, linked affiliations, and ongoing international responses. (Affected: Western governments, NGOs, defense organizations, and related institutions)
Keypoints :
- ColdRiver, a Russia-backed hacking group, has been deploying LostKeys malware since early 2023 to steal files and gather intelligence from targeted organizations.
- They use social engineering, spear-phishing, and PowerShell-based malware deployment to infect high-value targets, including government and defense entities.
- LostKeys malware can extract specific files, send system information, and steal credentials, facilitating further cyber operations such as email and contact theft.
- ColdRiver is linked to Russia’s FSB and has expanded its targets to include NATO countries, Ukraine, and U.S. energy and defense sectors.
- International agencies, including the UK and Five Eyes allies, have attributed ColdRiver operations to Russian security services and issued warnings about their tactics.
- The U.S. State Department sanctioned ColdRiver operatives, including an FSB officer, and offers rewards for information leading to their identification.
- Other state-backed groups, such as Kimsuky and MuddyWater, have used similar espionage tactics recently, highlighting a broad geopolitical cyber threat landscape.