According to internet records examined by Reuters and five cyber security experts this past summer, a Russian hacking group known as Cold River targeted three nuclear research laboratories in the United States.
Cold River targeted the Brookhaven (BNL), Argonne (ANL), and Lawrence Livermore National Laboratories (LLNL) between August and September, according to internet records that showed the hackers creating fake login pages for each institution and emailing nuclear scientists in an effort to force them to reveal their passwords. This was during the same time that President Vladimir Putin said Russia would be willing to use nuclear weapons to defend its territory.
The reason the labs were targeted or whether any intrusion attempts were successful were unknown to Reuters. A BNL representative declined to respond. An inquiry for comment was not answered by LLNL. The U.S. Department of Energy declined to respond to inquiries after being forwarded by an ANL representative.
Since the invasion of Ukraine, cybersecurity experts and western government officials claim that Cold River has intensified its hacking campaign against Kyiv's allies. In the midst of intense shelling nearby, U.N. experts entered Russian-controlled territory in Ukraine to inspect the continent's largest nuclear power plant and evaluate the risk of what both sides claimed could be a catastrophic radiation disaster. This coincided with the digital assault on American laboratories.
Cold River, which first appeared on the radar of intelligence professionals after targeting Britain`s foreign office in 2016, has been involved in dozens of other high-profile hacking incidents in recent years, according to interviews with nine cybersecurity firms. Reuters traced email accounts used in its hacking operations between 2015 and 2020 to an IT worker in the Russian city of Syktyvkar. "This is one of the most important hacking groups you`ve never heard of," said Adam Meyers, senior vice president of intelligence at U.S. cybersecurity firm CrowdStrike.
Russia's Federal Security Service (FSB), the domestic security agency that also conducts espionage campaigns for Moscow, and Russia's embassy in Washington did not respond to emailed requests for comment.
Cold River has been linked to the attempted nuclear lab hacks, based on shared digital fingerprints that researchers have historically tied to the group. Western officials say the Russian government is a global leader in hacking and uses cyber espionage to spy on foreign governments and industries. Moscow has consistently denied that it carries out hacking operations.
The U.S. National Security Agency (NSA) declined to comment on Cold River's activities. Britain's Global Communications Headquarters (GCHQ), its NSA equivalent, did not comment. The foreign office declined to comment.
In May, Cold River broke into and leaked emails belonging to the former head of Britain's MI6 spy service. That was just one of several 'hack and leak' operations last year by Russia-linked hackers. Cold River registered domain names designed to imitate at least three European NGOs investigating war crimes, according to a French cybersecurity firm SEKOIA.IO.
The groups were targeted just days after a U.N. report said Russian forces were responsible for the "vast majority" of human rights violations in the early weeks of the Ukraine war. Cold River is seeking to contribute to "Russian intelligence collection about identified war crime-related evidence and/or international justice procedures," SEKOIA wrote.
An experienced war crimes investigator founded a nonprofit organization called the Commission for International Justice and Accountability (CIJA), which claimed it had been repeatedly attacked by hackers backed by Russia over the past eight years without success. Requests for comment to the other two NGOs, the International Center of Nonviolent Conflict and the Centre for Humanitarian Dialogue, went unanswered.
A request for comment regarding the attempted hack against CIJA was not answered by the Russian embassy in Washington.
Cold River has used a variety of tactics to trick computer users into entering their usernames and passwords on fake websites, security researchers say. The company has registered domain names such as "goo-link.online" and "online365-office.com," which at a glance look similar to legitimate services operated by firms like Google and Microsoft.
The group Cold River made several missteps that allowed cybersecurity analysts to pinpoint the exact location and identity of one of its members. Andrey Korinets, a 35-year-old IT worker and bodybuilder, lived in Syktyvkar, about 1,600 km (1,000 miles) northeast of Moscow. Usage of his email accounts left a trail of digital evidence from different hacks back to social media accounts and websites.
Korinets is believed to be a key figure in the Syktyvkar hacking community, historically. Google has tied him to Russian hacking group Cold River, according to security researcher Vincas Ciziunas. Korinets' email addresses were also connected to Cold River activity by security researcher Billy Leonard. Leonard worked on Google's Threat Analysis Group, which investigates nation state hacking.
Russian hacker Igor Korinets' email addresses were used in Cold River hacking campaigns between 2015 and 2020, according to data obtained by Reuters. The data showed that his email addresses registered numerous websites used in hacking campaigns from 2015 to 2020. He denied any knowledge of Cold River but admitted that he had previously been fined for computer crimes.
It is unclear whether Korinets has been involved in hacking operations since 2020. He offered no explanation of why these email addresses were used and did not respond to further phone calls or emails.
Source: Reuters