Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering
Google: Russian FSB Hacking Group Turns to Malware
'Coldriver' Has Been Sending Backdoors Embedded in PDFs Since November 2022A Russian domestic intelligence agency hacking group known for prolonged logon credential phishing campaigns against Western targets is now deploying malware embedded into PDFs, say security researchers from Google.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Authorities from the United States and United Kingdom in December linked the hacking group Google tracks as "Coldriver" to the Federal Security Service, Russia's successor to the Soviet Union's KGB security agency. Also known as Star Blizzard and the Callisto Group and formerly tracked by Microsoft as Seaborgium, the hacking group is responsible for a nearly 10-year-long spear-phishing campaign against British lawmakers in multiple political parties and the leak of classified documents (see: UK and US Accuse Russian FSB of 'Hack and Leak' Operation).
U.S. federal prosecutors indicted two Russian men, one an FSB officer, for unauthorized access to email accounts belonging to American intelligence, defense and Department of Energy government employees. As recently as Dec. 7, the U.S. Cybersecurity and Infrastructure Security Agency warned that Coldriver has continued spear-phishing attacks for espionage purposes. The group relies heavily on sending messages from spoofed email accounts - emails that appear to originate from a trusted person or organization.
In a Thursday blog post, Google's Threat Analysis Group said Coldriver is moving beyond phishing for credentials to delivering malware that uses PDF documents as lures. When victims open the document - putatively an opinion piece the spoofed sender wants published - the content is encrypted.
Coldriver operatives at that point attempt to smuggle malware onto victims' computers by suggesting they download a decryption utility. The software is actually a backdoor, one Google has dubbed Spica.
The threat group's targets have also included a Ukrainian defense contractor, Eastern European militaries and a NATO Center of Excellence.
Google believes there are multiple versions of the Spica backdoor - "each with a different embedded decoy document to match the lure document sent to targets." A sample studied by Google was likely active in August and September, although the Silicon Valley giant said that Coldriver's use of the backdoor dates to at least November 2022.
The backdoor supports a number of functions, including stealing web browser session cookies, enumerating documents and exfiltrating them as an archive. Spica also contains a command called "telegram," but "the functionality of this command is unclear."