Washington, D.C./London, Jan. 6 (TradingTwist) – According to internet records examined by TradingTwist and five cyber security specialists this past summer, a Russian hackers group known as Cold River targeted three nuclear research institutes in the United States.
Cold River targeted the Brookhaven (BNL), Argonne (ANL), and Lawrence Livermore National Laboratories (LLNL) between August and September, according to internet records that showed the hackers creating fake login pages for each institution and emailing nuclear scientists in an effort to force them reveal their passwords. This was during the same time that President Vladimir Putin said Russia would be willing to use nuclear weapons to defend its territory.
TradingTwist was unable to ascertain the motive behind the labs’ targeting or whether any infiltration attempts were successful. BNL’s representative chose not to respond. Requests for comment from LLNL were not answered. The U.S. Department of Energy declined to comment after being contacted by an ANL spokeswoman.
Since the invasion of Ukraine, Cold River has stepped up its hacking operations against Kyiv’s friends, according to cybersecurity experts and western government officials. As U.N. scientists visited Russian-controlled Ukrainian territory to inspect Europe’s largest nuclear power plant and evaluate the risk of what both sides feared might be a cataclysmic radiation accident amid intense shelling nearby, the digital assault on the American labs was underway.
According to interviews with nine cybersecurity organisations, Cold River has been involved in dozens of additional high-profile hacking attacks in recent years. Cold River initially came to the attention of intelligence specialists after attacking the British foreign office in 2016. Between 2015 and 2020, Trading was able to track down email accounts used in its hacking operations for an IT worker in the Russian city of Syktyvkar.
Adam Meyers, senior vice president of intelligence at American cybersecurity company CrowdStrike, declared that this was one of the most significant hacking groups he had ever heard of. They actively participate in assisting Kremlin information operations.
Both the Russian embassy in Washington and the Federal Security Service (FSB), the country’s domestic security organisation that also runs espionage operations for Moscow, did not reply to requests for comment via email.
According to Western sources, the Russian government leads the world in hacking and employs cyber espionage to snoop on other countries’ governments and enterprises in an effort to gain a competitive advantage. Moscow, though, has consistently refuted accusations that it engages in hacking activities.
Five business professionals were shown TradingTwist’s findings, and they corroborated Cold River’s involvement in the attempted breaches of the nuclear labs based on shared digital fingerprints that the group has previously been linked to by researchers.
The operations of Cold River were not addressed by the American National Security Agency (NSA). Global Communications Headquarters (GCHQ), the equivalent of the NSA in Britain, had no comments. Foreign Office officials opted not to comment.
‘Intelligence Collection By Russian hackers’
The former head of Britain’s MI6 espionage organisation had his emails broken into by Cold River in May, and those emails were then released. According to cybersecurity specialists and Eastern European security officials, that was only one of many “hack and leak” operations carried out by hackers with ties to Russia last year in which private correspondence in Britain, Poland, and Latvia were made public.
According to French cybersecurity company SEKOIA.IO, Cold River registered domain names intended to impersonate at least three European NGOs looking into war crimes as part of a recent espionage operation targeting critics of Moscow.
The NGO-related hacking attempts happened right before and right after the release on October 18 of a report by a U.N. independent commission of enquiry that found Russian forces were accountable for the “vast majority” of human rights violations during the early weeks of the Ukraine war, which Russia has referred to as a special military operation.
According to a blog post by SEKOIA.IO, Cold River was attempting to support “Russian intelligence collecting about recognised war crime-related evidence and/or international justice procedures” by focusing on NGOs. TradingTwist was unable to independently verify the motives behind Cold River’s attack on the NGOs.
An experienced war crimes investigator created a nonprofit organisation called the Commission for International Justice and Accountability (CIJA), which claimed it had been frequently attacked by Russian hackers backed by Russia over the past eight years without result. Requests for comment to the other two NGOs, the International Center of Nonviolent Conflict and the Centre for Humanitarian Dialogue went unanswered.
A request for comment regarding the attempted breach against CIJA was not answered by the Russian embassy in Washington.
Security analysts told TradingTwist that Cold River has used strategies like deceiving users into entering their usernames and passwords on phoney websites to access their computer systems. According to security experts, Cold River has registered domain names like “goo-link. online” and “online365-office. com” that superficially resemble real services offered by companies like Google and Microsoft using a range of email accounts.
DEEP TIES TO RUSSIA
According to experts from Internet giant Google, British defence contractor BAE, and American intelligence firm Nisos, Cold River made a number of mistakes in recent years that allowed cybersecurity analysts to pinpoint the precise location and identity of one of its members, providing the clearest indication yet of the group’s Russian origin.
Andrey Korinets, a 35-year-old IT worker and bodybuilder from Syktyvkar, roughly 1,600 km (1,000 miles) northeast of Moscow, has multiple personal email addresses that were used to set up Cold River missions. By using these accounts, several Russian hackers produced a digital paper trail that led to Korinets’ online presence, which included social networking accounts and personal websites.
Korine was involved, according to Billy Leonard, a security engineer in Google’s Threat Analysis Group who studies hacking by state actors. He said that “Google has connected this person to the Russian hackers collective Cold River and its early operations.”
The IT worker seemed to be a “key figure” in the Syktyvkar Russian hackers community historically, according to Vincas Ciziunas, a security researcher at Nisos who also linked Korinets’ email addresses to Cold River activity. Korine had discussed hacking in a number of Russian-language online forums, including an eZine, which Ciziunas found and shared with TradingTwist.
In an interview with TradingTwist, Korinets acknowledged that he was the owner of the pertinent email accounts but denied knowing anything about Cold River. He said that the only time he had ever engaged in hacking was when he was sentenced to a fine by a Russian court for a computer crime he had committed as part of a disagreement with a former client.
Data gathered by cybersecurity research platforms Constella Intelligence and DomainTools, which assist in identifying the owners of websites, allowed TradingTwist to independently confirm Korinets’ connections to Cold River. The data revealed that Korinets’ email addresses registered a number of websites used in Cold River hacking campaigns between 2015 and 2020.
It is unknown if Korinets has participated in hacking activities since 2020. He did not reply to more phone calls or emails and provided no justification for using these email addresses.
James Pearson and Christopher Bing’s reporting Polina Nikolskaya, Maria Tsvetkova, Anton Zverev, Zeba Siddiqui in San Francisco, and Raphael Satter in Washington contributed further reporting. Chris Sanders and Daniel Flynn’s editing
