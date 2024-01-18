The Russian state-sponsored hacking group, known as Coldriver, has developed a sophisticated new phishing technique involving encrypted PDFs to distribute a custom backdoor malware named Spica. Google's Threat Analysis Group has reported that Coldriver, suspected by the US and UK of having ties with the Russian government, sends its victims encrypted PDF documents under the guise of seeking feedback. This innovative approach marks a significant evolution in the group's tactics, which were previously focused on phishing for credentials.

The Deception of Decryption

When victims report their inability to decipher the encrypted text, they are provided with a link to a supposed 'decryption' utility. In reality, this utility is the Spica malware, which is capable of executing commands, stealing browser cookies, and exfiltrating documents. Spica, identified as Coldriver's first custom malware, has been in use since at least November 2022, but it was only observed by Google in September 2023. The hackers often employ impersonation to build rapport with their targets, thereby increasing the likelihood of a successful phishing attempt.

Targeted Attacks

Coldriver's objectives are both wide-ranging and specific. They include stealing login credentials from individuals and entities related to Ukraine, NATO, academic institutions, and NGOs. The group has also targeted defense-industrial sectors and US Department of Energy facilities since 2019, expanding its predatory reach in 2022. This wide array of targets hints at the geopolitical motivations behind their activities.

Response and Mitigation

In response to Coldriver's activities, Google has updated its software to block domains associated with the group's phishing campaigns, as part of its ongoing efforts to safeguard users. The US Cybersecurity and Infrastructure Security Agency has noted the group's expanding activities and issued alerts to potential targets. However, the evolving nature of Coldriver's tactics, including the use of their first custom malware, underscores the increasing sophistication of state-sponsored cyber threats, ultimately necessitating vigilant cybersecurity measures.