January 18, 2024 at 09:05AM
Russian cyberspies, associated with the FSB, have developed a custom backdoor called SPICA, targeting academia, military, governmental orgs, NGOs, think tanks, and politicians in the US, the UK, and other NATO countries. They have recently escalated their attacks against Ukraine’s military and other Eastern European nations. The group employs sophisticated phishing tactics to deliver the malware.
From the meeting notes, it’s clear that Russian cyberspies linked to the Kremlin’s FSB have developed a custom backdoor called SPICA, which they have been using in their espionage efforts since at least November 2022. Notably, the backdoor uses Rust and JSON over websockets for command and control and possesses capabilities like executing shell commands, stealing cookies, and siphoning documents.
The group, referred to as COLDRIVER or Star Blizzard, has been targeting high-profile individuals in academia, military, governmental organizations, NGOs, think tanks, and politicians in the US, the UK, NATO countries, as well as Ukraine and other Eastern European nations. Their tactics include using fake social media profiles, web-based email accounts, and impersonating well-known figures to deliver malware.
Google TAG’s threat hunting team has released an analysis of the group’s activities, along with indicators of compromise such as hashes, sample names, and C2 addresses associated with SPICA. Notably, the team has only observed SPICA being used in a small number of campaigns, indicating highly targeted attacks.
It’s also worth noting that the group has been using benign PDF documents to trick victims into downloading the SPICA backdoor, prompting a response email from the victim, to which the attackers send a link to a false “decryption” utility that is actually the SPICA backdoor.
Overall, the group’s activities have raised concerns among government agencies and technology companies, and efforts to counter their sophisticated evasion techniques and phishing tactics have been underway, with TAG’s findings shedding light on their evolving espionage efforts.