Monday, May 20, 2024

Vogon Today

Selected News from the Galaxy

StartMag

Cold River, who are the Russian hackers interested in US nuclear power

1 year ago babelfish

Cold River, who are the Russian hackers interested in US nuclear power

A group of Russian cybercriminals, called Cold River, tried to hack three nuclear research laboratories in the United States. All the details

It's an exclusive scoop from Reuters to reveal how last summer, just as Vladimir Putin brandished the nuclear weapon threatening its use, three US nuclear research laboratories suffered an attempted computer intrusion by a Russian hacker group known as Cold River.

The attack

Between August and September of 2022 Cold River targeted laboratories in Brookhaven, Argonne and Lawrence Livermore. The group in this case would have created fake login pages and sent emails to nuclear scientists in an attempt to steal their passwords.

It is not known whether the operation was successful. Contacted by Reuters , the three laboratories took refuge in silence. The US Department of Energy and the NSA are also silent.

What emerged instead are the attackers' computer fingerprints: Reuters showed them to five cybersecurity experts who uniquely traced them to Cold River.

Previous

Adam Meyers, vice president of intelligence of the cybersecurity company CrowdStrike, is convinced of this: Cold River is "one of the most important hacker groups we have heard of" and is "involved in direct support of the Kremlin's information operations".

The group first hit the radar of intelligence professionals in 2016 after carrying out an attack on the Foreign Office in London. Since then, Cold River has been involved in dozens of other high-profile cyberattacks, according to five cybersecurity firms interviewed by Reuters .

In particular, the one conducted last May in Great Britain made headlines, where, as Nbc reported at the time, the group came into possession of numerous emails written by public figures, among which the former chief of the MI6 intelligence service Sir Richard Dearlove, and made them public in full Wikileaks style.

According to Reuters , Cold River has conducted an intense campaign of attacks against targets traceable to Kiev since February 24, the initial day of the invasion of Ukraine.

Of particular note is an operation conducted against three European NGOs which are dealing with war crimes perpetrated by Russian forces. According to the French cybersecurity firm Sekoia, Cold River attempted to contribute to "Russian intelligence gathering related to evidence of identified war crimes and/or international justice procedures."

– Read also: Russian spy ship in the Adriatic, what's going on

Who is behind Cold River?

Unfortunately for them, Cold River hackers in conducting their operations have left many traces of their activity that have allowed to trace the identity of one of its members.

Specifically, the email accounts used to carry out the attacks were linked to a 35-year-old computer scientist and bodybuilder who lives in the Russian city of Syktyvkar. The man in question is called Andrej Korinets and, according to Google security engineer Billy Leonard, has been involved in Cold River activities since its inception.

For Vincas Ciziunas, a researcher at Nisos, Korinets would be a "central figure" in the Syktyvkar hacker community. Ciziunas disclosed the existence of a series of Russian-language internet forums in which Korinets talked about his hacking activity.

Contacted by Reuters , Korinets confirmed that he owned the offending email accounts but denied any involvement in Cold River. However, he admitted to having some hacker expertise, which would have cost him a fine from a Russian court in the past.

However, Reuters has independently verified the close connection between Korinets and Cold River's activities based on data collected by cybersecurity firms Constella Intelligence and DomainTools, thanks to which it was possible to establish that Korinets' email addresses were used to open numerous Websites used in Cold River hack campaigns from 2015 to 2020.

What is not clear, Reuters points out, is whether Korineta carried out operations even after 2020. Urged by the British press agency, the person concerned preferred silence.

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/cybersecurity/cold-river-attacco-hacker-laboratori-nucleare/ on Mon, 09 Jan 2023 06:55:54 +0000.