A Russian hacking team known as Cold River attacked three nuclear research labs in the United States last summer, according to internet data reviewed by Reuters and five cybersecurity experts.
Between August and September, when President Vladimir Putin signaled that Russia would be willing to use nuclear weapons to defend its territory, Cold River targeted the Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore National Laboratories (LLNL), according to internet data that showed the hackers created fake login pages for each institution and emailed nuclear scientists in an attempt to get them to reveal their passwords.
Reuters was unable to determine why the labs were targeted or whether an attempted break-in was successful. A BNL spokesperson declined to comment. LLNL did not respond to a request for comment. An ANL spokesperson referred questions to the US Department of Energy, which declined to comment.
According to cybersecurity researchers and Western government officials, Cold River has escalated its hacking campaign against Kiev’s allies since the invasion of Ukraine. The digital blitz against the US labs came as UN experts entered Russian-controlled Ukrainian territory to inspect Europe’s largest nuclear power plant and assess the risk of what both sides say could be a devastating radiation disaster amid heavy shelling nearby .
Cold River, which first appeared on the radar of intelligence professionals after targeting the British Foreign Office in 2016, has been implicated in dozens of other high-profile hacking incidents in recent years, according to interviews with nine cybersecurity firms. Reuters traced email accounts used in its hacking operations between 2015 and 2020 to an IT worker in the Russian city of Syktyvkar.
“This is one of the most important hacking groups you’ve never heard of,” said Adam Meyer, senior vice president of intelligence at US cybersecurity firm CrowdStrike. “They are involved in direct support of the Kremlin’s information operations.”
Russia’s Federal Security Service (FSB), the homeland security agency that also conducts espionage campaigns for Moscow, and the Russian Embassy in Washington did not respond to emailed requests for comment.
Western officials say the Russian government is a world leader in hacking and uses cyber espionage to spy on foreign governments and industries to gain a competitive advantage. However, Moscow has consistently denied that it conducts hacking operations.
Reuters showed its findings to five industry experts who confirmed Cold River’s involvement in the nuclear lab hacking attempts, based on shared digital fingerprints researchers have linked to the group in the past.
The U.S. National Security Agency (NSA) declined to comment on Cold River’s activities. Britain’s Global Communications Headquarters (GCHQ), the NSA equivalent, declined to comment. The State Department declined to comment.
In May, Cold River broke in and leaked emails from the former head of Britain’s spy agency MI6. According to cybersecurity experts and Eastern European security officials, that was just one of many “hack and leak” operations by Russian-affiliated hackers last year that exposed confidential communications in Britain, Poland and Latvia.
In another recent espionage operation targeting critics of Moscow, Cold River registered domain names designed to impersonate at least three European NGOs investigating war crimes, according to French cybersecurity firm SEKOIA.IO.
The NGO-related hacking attempts came just before and after the October 18 launch of a report by a UN Independent Commission of Inquiry that found Russian forces responsible for the “vast majority” of human rights violations in the first weeks of the war in Ukraine. which Russia has called a special military operation.
In a blog post, SEKOIA.IO said Cold River, based on its targeting of the NGOs, was seeking to contribute to “Russian intelligence gathering on identified evidence related to war crimes and/or international judicial proceedings.” Reuters could not independently confirm why Cold River targeted the NGOs.
The Commission for International Justice and Accountability (CIJA), a nonprofit organization founded by a veteran war crimes investigator, said it had repeatedly been unsuccessfully targeted by Russian-backed hackers over the past eight years. The other two NGOs, the International Center of Nonviolent Conflict and the Center for Humanitarian Dialogue, did not respond to requests for comment.
The Russian embassy in Washington has not returned a request for comment on the attempted hack against CIJA.
Cold River has used tactics such as tricking people into entering their usernames and passwords on bogus websites to gain access to their computer systems, security researchers told Reuters. To do this, Cold River used several email accounts to register domain names, such as “goo-link.online” and “online365-office.com” which at a glance appear to be legitimate services operated by companies like Google and Microsoft, the security researchers said.
DEEP TIES WITH RUSSIA
According to experts from internet giant Google, British defense contractor BAE and US intelligence agency Nisos.
Multiple personal email addresses used to set up Cold River missions belong to Andrey Korinets, a 35-year-old IT worker and bodybuilder in Syktyvkar, about 1,600 km (1,000 miles) northeast of Moscow. The use of these accounts left a trail of digital evidence of various hacks in Korinets’ online lives, including social media accounts and personal websites.
Billy Leonard, a security engineer at Google’s Threat Analysis Group who researches nation-state hacking, said Korinets was involved. “Google linked this individual to the Russian hacking group Cold River and their early operations,” he said.
Vincas Ciziunas, a security researcher at Nisos who also linked Korinets’ email addresses to Cold River activities, said the IT worker historically appeared to be a “central figure” in the Syktyvkar hacking community. Ciziunas discovered a series of Russian-language Internet forums, including an e-zine, where Korinets had discussed hacking and shared those posts with Reuters.
Korinets confirmed in an interview with Reuters that he owned the relevant email accounts, but denied any knowledge of Cold River. He said his only experience with hacking came years ago when he was fined by a Russian court for a computer crime committed during a business dispute with a former client.
Reuters was able to separately confirm Korinets’ links to Cold River by using data collected through the cybersecurity research platforms Constella Intelligence and DomainTools, which help identify website owners: The data showed that Korinets’ email addresses are numerous websites used in Cold River hacking campaigns between 2015 and 2020.
It is unclear whether Korinets has been involved in hacking operations since 2020. He did not explain why these email addresses were used and did not respond to further email calls and questions.
USA Cyber Russia