January 18, 2024 at 09:12AM
Google has warned about the Russian threat group ColdRiver known for phishing attacks and developing custom malware. Tracked as Star Blizzard, Callisto Group, and others, the group is linked to Russia’s FSB. US and UK governments have issued warnings and sanctions. Google discovered the Spica backdoor malware used for cyberespionage and influence campaigns.
Key takeaways from the meeting notes are as follows:
– A threat group known as ColdRiver, which is associated with Russia’s FSB security service, has been active in conducting both cyberespionage operations and influence campaigns.
– ColdRiver is known for targeting organizations in the academia, defense, government, NGO, and think tank sectors in the US, the UK, and other NATO countries.
– Google has shared indicators of compromise (IoCs) and YARA rules to help detect and analyze the threat posed by ColdRiver.
– ColdRiver has been linked to the development and use of custom malware named Spica, which is described as a backdoor written in Rust and capable of executing various malicious activities.
– Spica malware has been delivered through benign PDFs that appear to be encrypted, with recipients being provided an executable that deploys the malware when used for decryption. This method suggests a focus on spear-phishing and credential harvesting.
– Google researchers spotted Spica in the wild in September 2023, but it may have been used by ColdRiver since at least November 2022, with the possibility of multiple versions of the backdoor.
These takeaways highlight the evolving threat posed by ColdRiver and its association with sophisticated cyber activities, as well as the specific details of the Spica malware and its potential impact.