Exclusive: Russian hackers targeted U.S. nuclear scientists
LONDON/WASHINGTON, Jan 6 (Reuters) – A Russian hacking team known as Cold River targeted three nuclear research laboratories in the United States last summer, according to internet records reviewed by Reuters and five cybersecurity experts.
Between August and September, as President Vladimir Putin indicated that Russia would be willing to use nuclear weapons to defend its territory, Cold River targeted Brookhaven National Laboratories (BNL), Argonne (ANL) and Lawrence Livermore (LLNL), according to online data that showed hackers creating fake login pages for each institution and emailing nuclear scientists in an attempt to get them to reveal their passwords.
Reuters was unable to determine why the labs were targeted or whether any intervention efforts were successful. A BNL spokesman declined to comment. LLNL did not respond to a request for comment. An ANL spokesman referred questions to the US Department of Energy, which declined to comment.
Cold River has escalated its hacking campaign against Kiev’s allies since the invasion of Ukraine, according to cybersecurity researchers and Western government officials. The digital blitz against US labs came as UN experts entered Russian-controlled Ukrainian territory to inspect Europe’s largest nuclear power plant and assess the risk of what both sides said could be a devastating radiation disaster. amid heavy bombing nearby.
Cold River, which first appeared on the radar of intelligence professionals after targeting Britain’s foreign office in 2016, has been involved in dozens of other high-profile hacking incidents in recent years, according to interviews with nine cyber security firm. Reuters traced the email accounts used in its hacking operations between 2015 and 2020 to an IT worker in the Russian city of Syktyvkar.
“This is one of the most important hacker groups you’ve never heard of,” said Adam Meyers, senior vice president of intelligence at US cybersecurity firm CrowdStrike. “They are involved in directly supporting the Kremlin’s information operations.”
Russia’s Federal Security Service (FSB), the domestic security agency that also conducts espionage campaigns for Moscow, and the Russian embassy in Washington did not respond to emailed requests for comment.
Western officials say the Russian government is a global leader in hacking and uses cyber espionage to spy on foreign governments and industries to seek a competitive advantage. However, Moscow has repeatedly denied conducting hacking operations.
Reuters shared its findings with five industry experts, who confirmed Cold River’s involvement in attempted hacks at nuclear labs based on common digital fingerprints that researchers have historically linked to the group.
The US National Security Agency (NSA) declined to comment on Cold River’s activities. Britain’s Global Communications Headquarters (GCHQ), its NSA equivalent, did not comment. The Foreign Office declined to comment.
In May, Cold River hacked and leaked emails belonging to the former head of Britain’s MI6 spy service. This was just one of several hack and leak operations last year by Russian-linked hackers in which confidential communications were made public in Britain, Poland and Latvia, according to cybersecurity experts and Eastern European security officials.
In another recent espionage operation targeting critics of Moscow, Cold River registered domain names designed to impersonate at least three European NGOs investigating war crimes, according to French cybersecurity firm SEKOIA.IO.
The hacking attempts linked to the NGO occurred shortly before and after the October 18 launch of a report by an independent UN commission of inquiry that found Russian forces were responsible for the “vast majority” of human rights abuses. in the first weeks of the war in Ukraine. which Russia has called a special military operation.
In a blog post, SEKOIA.IO said that, based on the targeting of NGOs, Cold River was seeking to contribute to the “gathering of Russian intelligence regarding identified evidence related to war crimes and/or international extradition proceedings.” justice”. Reuters was unable to independently confirm why Cold River targeted NGOs.
The Commission for International Justice and Accountability (CIJA), a non-profit organization founded by a veteran war crimes investigator, said it had been repeatedly targeted by Russian-backed hackers in the past eight years without success. Two other NGOs, the International Center for Nonviolent Conflict and the Center for Humanitarian Dialogue, did not respond to requests for comment.
The Russian Embassy in Washington did not return a request seeking comment about the hacking attempt against CIJA.
Cold River has used tactics such as tricking people into entering their usernames and passwords on fake websites to gain access to their computer systems, security researchers told Reuters. To do this, Cold River used a variety of email accounts to register domain names such as “goo-link.online” and “online365-office.com” which at a glance appear similar to legitimate services operated by the firm such as Google and Microsoft. , security researchers said.
DEEP CONNECTIONS WITH RUSSIA
Cold River made several mistakes in recent years that allowed cybersecurity analysts to pinpoint the exact location and identity of one of its members, providing the clearest indication yet of the group’s Russian origins, according to experts from Internet giant Google, the contractor British defense firm BAE, and American intelligence firm Nisos.
Multiple personal email addresses used to set up the Cold River missions belong to Andrey Korinets, a 35-year-old IT worker and bodybuilder in Syktyvkar, about 1,600 km (1,000 miles) northeast of Moscow. The use of these accounts left a trail of digital evidence from various hacks into Korinets’ online life, including social media accounts and personal websites.
Billy Leonard, a security engineer in Google’s Threat Analysis Group, which investigates nation-state hacking, said Korinets was involved. “Google has linked this individual to the Russian hacking group Cold River and their early operations,” he said.
Vincas Ciziunas, a security researcher at Nisos who also linked Korinets’ email addresses to Cold River’s activity, said the IT worker appeared to be a “central figure” in Syktyvkar’s hacking community, historically. Ciziunas discovered a series of Russian-language Internet forums, including an eZine, where Korinets had discussed hacking, and shared those posts with Reuters.
Korinets confirmed that he owned the relevant email accounts in an interview with Reuters, but he denied any knowledge of Cold River. He said his only experience with hacking came years ago when he was fined by a Russian court for a computer crime committed during a business dispute with a former client.
Reuters was able to separately confirm Korinets’ links to Cold River using data compiled through cybersecurity research platforms Constella Intelligence and DomainTools, which help identify website owners: the data showed that the email addresses of The Korinets recorded numerous websites used in Cold River’s hacking campaigns. between 2015 and 2020.
It is unclear whether Korinets has been involved in hacking operations since 2020. He offered no explanation as to why these email addresses were used and did not respond to further phone calls and emailed inquiries.
Reporting by James Pearson and Christopher Bing Additional reporting by Polina Nikolskaya, Maria Tsvetkova and Anton Zverev; and Zeba Siddiqui in San Francisco and Raphael Satter in Washington Editing by Chris Sanders and Daniel Flynn
Our Standards: The Thomson Reuters Trust Principles.