Pierluigi Paganini January 09, 2023

Russia-linked Cold River APT targeted three nuclear research laboratories in the United States in 2022 summer, Reuters reported.

Reuters reported that the Russia-linked APT group Cold River (aka Calisto) targeted three nuclear research laboratories in the United States between August and September 2022.

The Cold River APT group targeted the Brookhaven (BNL), Argonne (ANL), and Lawrence Livermore National Laboratories (LLNL). Threat actors created fake login pages for each organization and sent spear-phishing messages to nuclear scientists in an attempt to trick them into providing their passwords.

Reuters is not able aware to determine if threat actors were able to breach into the target networks, and potentially impacted organizations declined to comment or not responded to the news outlet.

Cybersecurity and intelligence experts observed an escalation in the activity associated with the Cold River APT since the invasion of Ukraine. In March 2022, the Google Threat Analysis Group (TAG) spotted phishing and malware attacks targeting Eastern European and NATO countries, including Ukraine.

The researchers uncovered a phishing campaign conducted by the COLDRIVER (aka Calisto) APT against a NATO Centre of Excellence and Eastern European militaries. The attacks of the group also aimed at a Ukrainian defense contractor and several US-based non-governmental organizations (NGOs) and think tanks.

Google experts pointed out that this is the first time that the cyber spies target NATO and the military of multiple Eastern European countries.

“The digital blitz against the U.S. labs occurred as U.N. experts entered Russian-controlled Ukrainian territory to inspect Europe’s biggest atomic power plant and assess the risk of what both sides said could be a devastating radiation disaster amid heavy shelling nearby.” reported Reuters.

“Reuters showed its findings to five industry experts who confirmed the involvement of Cold River in the attempted nuclear labs hacks, based on shared digital fingerprints that researchers have historically tied to the group.”

In May, the APT group set up a website that published leaked emails from leading proponents of Britain’s exit from the EU, Reuters reported.

According to a Google cybersecurity official and the former head of UK foreign intelligence, the “Very English Coop d’Etat” website was set up to publish private emails from Brexit supporters, including former British MI6 chief Richard Dearlove, leading Brexit campaigner Gisela Stuart, and historian Robert Tombs.

Cybersecurity firm SEKOIA.IO recently uncovered a cyber espionage campaign targeting at least three European NGOs investigating war crimes.

“Despite the absence of technical evidence associating Calisto activities with a known Russian cyber offensive service, SEKOIA.IO assess that this intrusion set intelligence collection activities targeting parties involved in Ukraine support, especially those in the tactical equipment logistics, probably contribute to Russian efforts to disrupt Kiev supply-chain for military reinforcements.” reads the report. published by SEKOIA. “Based on the targeting of Commission for International Justice and Accountability NGO, SEKOIA.IO assess that Calisto contributes to Russian intelligence collection about identified war crime-related evidence and/or international justice procedures, likely to anticipate and build counter narrative on future accusations.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Nuclear scientists)

[adrotate banner=”5″]

[adrotate banner=”13″]