Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering

Google: Russian FSB Hacking Group Turns to Malware

'Coldriver' Has Been Sending Backdoors Embedded in PDFs Since November 2022
Google: Russian FSB Hacking Group Turns to Malware
The emblem of the Federal Security Service of Russia in Kazan, Russia, in a photo taken on Sept. 7, 2019. (Image: Shutterstock)

A Russian domestic intelligence agency hacking group known for prolonged logon credential phishing campaigns against Western targets is now deploying malware embedded into PDFs, say security researchers from Google.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Authorities from the United States and United Kingdom in December linked the hacking group Google tracks as "Coldriver" to the Federal Security Service, Russia's successor to the Soviet Union's KGB security agency. Also known as Star Blizzard and the Callisto Group and formerly tracked by Microsoft as Seaborgium, the hacking group is responsible for a nearly 10-year-long spear-phishing campaign against British lawmakers in multiple political parties and the leak of classified documents (see: UK and US Accuse Russian FSB of 'Hack and Leak' Operation).

U.S. federal prosecutors indicted two Russian men, one an FSB officer, for unauthorized access to email accounts belonging to American intelligence, defense and Department of Energy government employees. As recently as Dec. 7, the U.S. Cybersecurity and Infrastructure Security Agency warned that Coldriver has continued spear-phishing attacks for espionage purposes. The group relies heavily on sending messages from spoofed email accounts - emails that appear to originate from a trusted person or organization.

In a Thursday blog post, Google's Threat Analysis Group said Coldriver is moving beyond phishing for credentials to delivering malware that uses PDF documents as lures. When victims open the document - putatively an opinion piece the spoofed sender wants published - the content is encrypted.

Coldriver operatives at that point attempt to smuggle malware onto victims' computers by suggesting they download a decryption utility. The software is actually a backdoor, one Google has dubbed Spica.

The threat group's targets have also included a Ukrainian defense contractor, Eastern European militaries and a NATO Center of Excellence.

Google believes there are multiple versions of the Spica backdoor - "each with a different embedded decoy document to match the lure document sent to targets." A sample studied by Google was likely active in August and September, although the Silicon Valley giant said that Coldriver's use of the backdoor dates to at least November 2022.

The backdoor supports a number of functions, including stealing web browser session cookies, enumerating documents and exfiltrating them as an archive. Spica also contains a command called "telegram," but "the functionality of this command is unclear."

About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.