Google: Russia's ColdRiver APT Unleashes Custom 'Spica' Malware

Just in time for the US election season, one of the Kremlin's favorite hack-and-leak spy groups — Star Blizzard — has developed its very first custom backdoor.

Icy river bank, hoarfrost on trees, Isar, nature reserve Isarauen, Bavaria, Germany
Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

The Russia-backed advanced persistent threat (APT) known as ColdRiver has taken a dive into the icy waters of custom malware, rolling out a proprietary backdoor called "Spica." The use of malware represents a significant evolution in the group's tactics, techniques, and procedures (TTPs), and one that potential targets need to take note of, researchers say — especially as election season looms.

ColdRiver (aka Blue Charlie, Callisto, Star Blizzard, or UNC4057) typically targets NGOs, former intelligence and military officers, and NATO governments to carry out cyber espionage — and indeed, it last made headlines in December when Microsoft caught it lifting data from British government higher-ups.

But as far as researchers knew, its modus operandi has always involved infiltrating accounts that house sensitive information via long-con credential phishing: i.e., impersonating a trusted source or expert, building rapport, and eventually down the line, sending a phishing link or document containing a link.

It turns out, ColdRiver actually has an extended set of capabilities, according to research from Google's Threat Analysis Group (TAG).

"Recently, TAG has observed ColdRiver … delivering malware via campaigns using PDFs as lure documents," Google TAG researchers explained in a report on ColdRiver released today. "In 2015 and 2016, TAG observed ColdRiver using the Scout implant that was leaked during the Hacking Team incident of July 2015. [But] Spica represents the first custom malware that we attribute being developed and used by ColdRiver."

The researchers tell Dark Reading that they don't have visibility into the specific profiles or number of victims who have been successfully compromised with Spica, beyond noting the campaigns target Ukraine, NATO countries, academic institutions, and NGOs. However, "we believe that Spica was only used in very limited, targeted attacks," aligning with ColdRiver's known TTPs.

Spica: A Spicy Little Backdoor Malware

As far as what the Spica attacks look like in practice, the Russian baddie delivers the malware using its trusty impersonation tactic, Google TAG researchers said, after building up a relationship with the target.

"ColdRiver presents [PDF] documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted," according to the report.

When targets inevitably respond that they can't read the encrypted document, ColdRiver sends a link, cleverly purporting to lead to a "decryption" utility — which is, of course, actually the Spica malware.

Once executed, Spica opens a supposedly "decoded" PDF as a decoy, while quietly establishing persistence and hooking up with its command-and-control server (C2).

Google TAG researchers broke down the binary, discovering that it's written in Rust, and uses JSON over websockets for C2. In terms of capabilities, it's a bit of a Swiss Army knife, with commands that include:

  • Executing arbitrary shell commands;

  • Stealing cookies from Chrome, Firefox, Opera, and Edge;

  • Uploading and downloading files;

  • Perusing the filesystem by listing the contents of it;

  • And enumerating documents and exfiltrating them in an archive.

Google discovered Spica in the wild in September, but the researchers said the backdoor was probably circulating as far back as November 2022.

"We believe there may be multiple versions of the Spica backdoor, each with a different embedded decoy document to match the lure document sent to targets," according to the analysis.

Cyber Espionage? ColdRiver Runs Through It

The Spica evolution is just the latest reinvention for the Kremlin-affiliated group, which consistently changes up its tactics to throw researchers off its scent. For instance, in August, it swapped out its entire attack and phishing infrastructure for a network of 94 new domains.

"Diversifying their TTPs by integrating custom malware into their campaigns could allow for a broader range of capabilities to conduct their operations," Google TAG researchers explain to Dark Reading. "They have invested time and resources into the development of custom capabilities, such as Spica, and remain persistent in achieving their goals."

Those goals are, of course, aligned to Russian state interests — for instance, election hacking. In the December attacks flagged by Microsoft, the goal was to influence the UK's democratic processes by heisting and leaking sensitive documents, as an example.

"For several years, multiple Western countries have accused Russia of attempting to conduct espionage against its adversaries, sowing disinformation and otherwise seeking to undermine democratic processes," says Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest. "Such covert activities also allow Russia to extract sensitive information, maintain persistence within systems of organizations of strategic interest, and obtain intelligence to guide Russian foreign policy. While this activity is unlikely to outright decide elections, it can subtly move the needle of intentional politics in Russia's favor."

As the US gears up for a presidential election in November, expect Star Blizzard to be in the mix, says John Hultquist, chief analyst for Mandiant Intelligence at Google Cloud.

“This is an actor to watch closely, especially as election season approaches," he warns. "They are not afraid to leak the documents they steal, and meddle in politics."

He adds that ColdRiver sits firmly at the nexus Russian political cyber activity: It's linked to Center 18 of the FSB, which itself is responsible for a raft of high-profile cyber incidents.

"Center 18 has been previously publicly linked to intrusions into Yahoo! that involved a coopted cyber criminal, as well as intrusions by a young Canadian national who was hired to target accounts," he explains. "The Center is also tied to the Gamaredon cyber espionage activity, which is reportedly conducted by former Ukrainian SBU officers who defected to Russia during the occupation of Crimea. Another FSB Center, Center 16, is tied to the infamous Turla cyber espionage activity, as well as a series of intrusions into global critical infrastructure best known as Energetic Bear."

To prevent becoming an unwitting pawn in the geopolitical chess match, researchers note that likely targets should implement safeguards against domain impersonation; install robust email security protocols like DMARC, SPF, and DKIM; enable Enhanced Safe Browsing for Chrome; ensure that all devices are updated; and vet carefully any previously unknown entity purporting to be a colleague or field expert that approaches.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights