A Russian hacking team known as Cold River targeted three nuclear research laboratories in the United States last summer, according to Internet records from JEE News and five cybersecurity experts.
Between August and September, as President Vladimir Putin signaled that Russia would be willing to use nuclear weapons to defend its territory, Cold River acquired the Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore National Laboratories (LLNL). ), according to Internet records. Hackers were shown creating fake login pages for each institution and emailing nuclear scientists to reveal their passwords.
JEE News was unable to determine why the labs were targeted or whether any intrusion attempts were successful. A BNL spokesperson declined to comment. LLNL did not respond to a request for comment. An ANL spokesman referred questions to the US Department of Energy, which declined to comment.
Cold River has stepped up its hacking campaign against Kyiv’s allies since the attack on Ukraine, according to cybersecurity researchers and Western government officials. The digital blasts against US labs came as UN experts entered Russian-controlled territory of Ukraine to inspect Europe’s largest nuclear power plant and assess the risk of what both sides said was a near miss. In the midst of intense shelling, catastrophic radiation damage can occur.
Cold River, which first appeared on the radar of intelligence professionals after targeting the UK Foreign Office in 2016, has been involved in dozens of other high-profile hacking incidents in recent years, according to interviews with nine cybersecurity firms. Is. JEE News traced the email accounts used in his hacking operations between 2015 and 2020 to an IT worker in the Russian city of Sktivkar.
“This is a major hacking group you’ve never heard of,” said Adam Myers, senior vice president of intelligence at US cyber security firm CrowdStrike. “They are involved in directly supporting the Kremlin’s information operations.”
Russia’s Federal Security Service (FSB), the domestic security agency that also runs espionage operations for Moscow, and the Russian Embassy in Washington did not respond to email requests for comment.
Western officials say the Russian government is a world leader in hacking and uses cyber espionage to spy on foreign governments and industries to gain a competitive advantage. However, Moscow has consistently denied that it carried out hacking operations.
JEE News showed their findings to five industry experts who confirmed Cold River’s involvement in the nuclear labs hack attempt based on shared digital fingerprints.
The US National Security Agency (NSA) declined to comment on Cold River’s activities. Britain’s Global Communications Headquarters (GCHQ), its NSA equivalent, had no comment. The Foreign Office declined to comment.
‘Intelligence Collection’
In May, Cold River hacked and leaked the emails of the former head of Britain’s MI6 spy service. According to cybersecurity experts and Eastern European security officials, it was one of several ‘hack and leak’ operations last year by Russian-linked hackers that exposed secret communications in Britain, Poland and Latvia.
In another recent espionage operation targeting critics of Moscow, Cold River registered domain names designed to mimic at least three European NGOs involved in war crimes, according to French cybersecurity firm SEKOIA.IO. were investigating.
The hacking efforts involving the NGO came just before and after the October 18 release of a report by an independent UN commission of inquiry that found Russian forces committed “massive” human rights abuses in the early weeks of the Ukraine war. were responsible for the “majority”. What Russia has called a special military operation.
In a blog post, SEKOIA.IO said that, based on its targeting of NGOs, Cold River “contributes to the collection of Russian intelligence on identified war crimes evidence and/or international justice procedures.” trying to put.” JEE News was unable to independently confirm why Cold River targeted the NGOs.
The Commission on International Justice and Accountability (CIJA), a non-profit organization founded by a veteran war crimes investigator, said it had been repeatedly hacked by Russian-backed hackers over the past eight years. Have targeted and without success. Two other NGOs, the International Center of Nonviolent Conflict and the Center for Humanitarian Dialogue, did not respond to requests for comment.
The Russian Embassy in Washington did not return a request for comment about the hack attempt against CIJA.
Security researchers told JEE News that Cold River used tactics such as tricking people into entering their usernames and passwords on fake websites to gain access to its computer systems. To do this, Cold River used multiple email accounts to register domain names such as “goo-link.online” and “online365-office.com” that appear to be owned by firms such as Google and Microsoft. Look similar to legitimate services being run. security researchers said.
Close ties with Russia
Cold River has made several mistakes in recent years that have allowed cybersecurity analysts to pinpoint the exact location and identity of one of its members, providing the clearest indication yet of the group’s Russian origins. , according to Internet giant Google, British defense contractor BAE, and experts. American intelligence firm Nisos.
Several of the personal email addresses used to set up Cold River Missions belong to Andriy Corrents, a 35-year-old IT worker and bodybuilder in Syktyvkar, about 1,600 kilometers (1,000 miles) northeast of Moscow. The use of these accounts left a trail of digital evidence from various hacks across Corintes’ online life, including social media accounts and personal websites.
Billy Leonard, a security engineer with Google’s Threat Analysis Group that investigates the National State hacking, said Corrents was involved. He said Google had linked the individual to the Russian hacking group Cold River and their initial operations.
Vincas Ciziunas, a security researcher at Nisos who also linked Korinets’ email addresses to Cold River activity, said the IT worker historically appears to be a “central figure” in the Syktyvkar hacking community. Cziunas discovered a series of Russian-language Internet forums, including an eZine, where Korinets had discussed hacking, and shared the posts with JEE News.
Corintes confirmed in an interview with JEE News that he owned the relevant email accounts but denied any knowledge of Cold River. He said his only experience with hacking was years ago when he was fined by a Russian court for computer crime during a business dispute with a former client.
JEE News was able to separately verify links to Corrents’ Cold River using data compiled by cybersecurity research platforms Constella Intelligence and Domain Tools, which help identify the owners of websites: Corrents’ email addresses are said to have registered several websites used in the Cold River hacking campaign. Between 2015 and 2020.
It is unclear whether Korinets has been involved in hacking operations since 2020. He offered no explanation as to why these email addresses were used and did not respond to further phone calls and emailed inquiries.
Reporting by James Pearson and Christopher Bing Additional reporting by Polina Nikolskaya, Maria Tsvetkova, and Anton Zverev; and Zeba Siddiqui in San Francisco
