| By Lauren LaPorta |

Russian advanced persistent threat (APT) ColdRiver has expanded and evolved its phishing campaigns against Western officials and allies of Ukraine through the deployment of a new custom backdoor, Spica. Google’s Threat Analysis Group (TAG) continues to protect user safety through Safe Browsing blocklists and user safety alerts. 

ColdRiver’s History of Cyber Espionage 

Google’s Threat Analysis Group has been reporting and fighting Russian APT ColdRiver espionage attempts since 2016 when it was first discovered by security researchers after its phishing campaign against Britain’s Foreign Office. ColdRiver, also known as Star Blizzard, Callisto, and UNC4057, is known for its espionage of high-profile individuals in NATO governments, NGOs, and former military and intelligence officers. Since the Russian invasion of Ukraine in 2022, ColdRiver has stepped up its phishing techniques to target Western allies of Ukraine. ColdRiver’s espionage efforts are known to be connected to the Russian government’s intelligence arm, the Federal Security Service. Google’s Threat Analysis Group (TAG) has been reporting and fighting this APT’s phishing campaigns aligned with the Russian government. In fact, research groups exposed ColdRiver campaigns and techniques last year, such as their campaign against three United States nuclear research labs: The Brookhaven, Argonne, and Lawrence Livermore National Laboratories. Consequently, ColdRiver has responded quickly by implementing new tactics, techniques, and procedures (TTPs). 

Advancing Threats: The Spica Backdoor 

ColdRiver’s phishing campaigns have evolved to include extended capabilities such as the use of custom backdoor malware. The APT continues credential phishing of Ukraine, NATO allies, academic institutions, and NGOs. ColdRiver employs impersonation accounts posing as an expert in a particular field connected to their target. The impersonation account sends a phishing link or document containing a link to their target, delivering malware through PDFs as lure documents. To trick users, ColdRiver impersonation accounts present these PDFs as a new op-ed or article that they wish to publish and seek feedback from their target. 

If the target opens the attached document, the text appears encrypted such that the user cannot read the document. If the target responds to the email that they are unable to read the document, the ColdRiver account responds with a link to a cloud storage site with a “decryption” tool the target can use. The decryption tool decodes the embedded PDF, writes it to disk, and displays the PDF as a decoy file for the user. Google’s TAG tracked this new custom malware as Spica, which gives ColdRiver direct access to their target’s device. Written in Rust and employing JSON for command and control, Spica supports a myriad of commands, such as stealing cookies from Chrome and Firefox. Google’s TAG first detected the use of Spica in September 2023, but TAG believes that ColdRiver’s use of Spica dates back to November 2022. While there are four different variants of PDF lures, TAG has only been able to retrieve one instance of Spica active around August and September of 2023. 

Cross-Regional Cyber Threats: Mint Sandstorm v. ColdRiver 

ColdRiver’s new custom backdoor mirrors Microsoft Threat Intelligence’s discovery of Mint Sandstorm, an Iranian APT that similarly deployed a new, custom backdoor called MediaPI and lured targets with Israel-Hamas War media. Similar to ColdRiver, Mint Sandstorm targets high-profile individuals in Middle Eastern affairs in academia and research in the United States, United Kingdom, Belgium, France, Gaza, and Israel. Mint Sandstorms’ espionage efforts are affiliated with the intelligence arm of Iran’s military, the Islamic Revolutionary Guard Corps (IRGC). Mint Sandstorms targets individuals with insights on policy and security issues that are of interest to Tehran. 

Google’s Measures to Protect User Safety 

Similar to Microsoft’s response to MediaPI, Google has taken initiatives to improve the safety and security of their users by adding all identified websites, domains, and files to Safe Browsing blocklists. Additionally, TAG continues to send targeted Gmail and Workspace users alerts of government-backed attackers to make them aware of the activity and encourage users to enable Enhanced Safe Browsing on Chrome and keep all devices up-to-date. Google and Microsoft’s ongoing efforts to counter cyber threats are crucial to continue to safeguard users’ sensitive information from the evolving landscape of government-backed cyber espionage.