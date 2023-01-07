



LONDON/WASHINGTON, Jan 6 (Reuters) – A Russian hacking team known as Cold River targeted three nuclear research labs in the United States last summer, according to internet records reviewed by Reuters and five cybersecurity experts .

Between August and September, when President Vladimir Putin indicated that Russia would be willing to use nuclear weapons to defend its territory, Cold River targeted Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore (LLNL) National Laboratories. , according to internet records that showed the hackers creating fake login pages for each institution and sending emails to nuclear scientists in an attempt to trick them into revealing their passwords.

Reuters was unable to determine why the labs were targeted or whether an attempted breach was successful. A BNL spokesperson declined to comment. LLNL did not respond to a request for comment. A spokesperson for the LNA referred questions to the US Department of Energy, which declined to comment.

Cold River has intensified its hacking campaign against Kyiv allies since invading Ukraine, according to cybersecurity researchers and Western government officials. The digital blitz against US labs came as UN experts entered Russian-controlled Ukrainian territory to inspect Europe’s largest nuclear power plant and assess the risk of what both sides said of devastating radioactive disaster amid heavy shelling nearby.

Cold River, which first appeared on the radar of intelligence professionals after targeting the UK Foreign Office in 2016, has been involved in dozens of other high-profile hacking incidents in recent years, according to interviews. with nine cybersecurity companies. Reuters traced the email accounts used in its hacking operations between 2015 and 2020 to a computer scientist in the Russian city of Syktyvkar.

“This is one of the biggest hacking groups you’ve ever heard of,” said Adam Meyers, senior vice president of intelligence at US cybersecurity firm CrowdStrike. “They are involved in direct support of the Kremlin’s information operations.”

Russia’s Federal Security Service (FSB), the internal security agency that also conducts spying campaigns for Moscow, and the Russian Embassy in Washington did not respond to emailed requests for comment.

Western officials say the Russian government is a world leader in hacking and uses cyber espionage to spy on foreign governments and industries to seek competitive advantage. However, Moscow has always denied carrying out hacking operations.

Reuters showed its findings to five industry experts who confirmed Cold River’s involvement in attempts to hack nuclear labs, based on shared fingerprints researchers have historically linked to the group.

The US National Security Agency (NSA) declined to comment on Cold River’s activities. Britain’s Global Communications Headquarters (GCHQ), its NSA equivalent, had no comment. The Foreign Office declined to comment.

‘INTELLIGENT COLLECTION’

In May, Cold River broke in and leaked emails belonging to the former head of Britain’s MI6 spy service. According to cybersecurity experts and security officials in Eastern Europe, this was just one of several “hack and leak” operations last year by Russian-linked hackers in which confidential communications have been made public in Great Britain, Poland and Latvia.

In another recent spy operation targeting critics of Moscow, Cold River registered domain names designed to impersonate at least three European NGOs investigating war crimes, according to French cybersecurity firm SEKOIA.IO.

The NGO-linked hacking attempts took place just before and after the October 18 launch of a report by an independent UN commission of inquiry that concluded that Russian forces were responsible for the “great majority” of human rights violations during the first weeks of the war in Ukraine, which Russia has called a special military operation.

In a blog post, SEKOIA.IO said that, based on its targeting of NGOs, Cold River was seeking to aid “Russian intelligence gathering on identified evidence related to war crimes and/or international legal proceedings. “. Reuters was unable to independently confirm why Cold River targeted NGOs.

The Commission for International Justice and Accountability (CIJA), a nonprofit organization founded by a veteran war crimes investigator, said it had been repeatedly targeted by Russian-backed hackers in over the past eight years without success. The other two NGOs, the International Center for Nonviolent Conflict and the Center for Humanitarian Dialogue, did not respond to requests for comment.

The Russian Embassy in Washington did not return a request seeking comment on the CIJA hack attempt.

Cold River used tactics such as tricking people into entering their usernames and passwords on fake websites to gain access to their computer systems, security researchers told Reuters. To do this, Cold River used a variety of email accounts to register domain names such as “goo-link.online” and “online365-office.com” which, at a glance, look like services legitimate websites operated by companies like Google and Microsoft. , the security researchers said.

DEEP LINKS WITH RUSSIA

Cold River has made several missteps in recent years that have allowed cybersecurity analysts to determine the exact location and identity of one of its members, providing the clearest indication yet of the origin. group, according to experts from internet giant Google, British defense contractor BAE and US intelligence firm Nisos.

Several personal email addresses used to set up Cold River missions belong to Andrey Korinets, a 35-year-old computer scientist and bodybuilder in Syktyvkar, about 1,600 km (1,000 miles) northeast of Moscow. The use of these accounts left a trail of digital evidence from different hacks of Korinets’ online life, including social media accounts and personal websites.

Billy Leonard, a security engineer with Google’s threat analysis group that investigates nation-state hacking, said Korinets was involved. “Google linked this individual to the Russian hacking group Cold River and its early operations,” he said.

Vincas Ciziunas, a security researcher at Nisos who also connected Korinets’ email addresses to Cold River activity, said the computer scientist appeared to be a “central figure” in Syktyvkar’s hacking community, historically. Ciziunas discovered a series of Russian-language internet forums, including an eZine, where Korinets had discussed hacking, and shared those posts with Reuters.

Korinets confirmed he had the affected email accounts in an interview with Reuters, but denied any knowledge of Cold River. He said his only hacking experience dates back to years when he was fined by a Russian court for a computer crime committed during a business dispute with a former client.

Reuters was able to separately confirm Korinets’ ties to Cold River using data compiled through cybersecurity research platforms Constella Intelligence and DomainTools, which help identify website owners: the data showed that the email addresses of Korinets registered many of the websites used in Cold River’s hacking campaigns. between 2015 and 2020.

It is not known whether Korinets has been involved in any hacking operations since 2020. He gave no explanation as to why these email addresses were used and did not respond to further phone calls and questions by E-mail.

Reporting by James Pearson and Christopher Bing Additional reporting by Polina Nikolskaya, Maria Tsvetkova and Anton Zverev; and Zeba Siddiqui in San Francisco and Raphael Satter in Washington Editing by Chris Sanders and Daniel Flynn

Christopher Bing

Thomson Reuters

Award-winning journalist covering the intersection between technology and national security with a focus on how the changing cybersecurity landscape affects government and business.

