Google: Russian state hackers deploying malware in espionage attacks around Europe

Russian state hackers are increasingly attempting to deploy backdoors on the devices of targets in NATO countries and Ukraine, according to new research from Google’s Threat Analysis Group.

The researchers found that the tactics of hackers from Center 18, a unit within Russia’s Federal Security Service (FSB), have evolved in recent months to more sophisticated efforts involving .pdf files. The researchers dub the hackers COLDRIVER and said that since November 2022 they have lured victims into downloading backdoors onto their devices through the documents.

For years, Center 18 has been a key part of the Russian government’s hacking operations, participating in efforts to compromise systems used by the U.S. government, among others.

A Google spokesperson told Recorded Future News that the main targets are high-profile individuals in NGOs, former intelligence and military officials and NATO governments.

COLDRIVER actors typically approach victims pretending to be experts in a field of study or members of organizations affiliated with the target of the operation. As in many other sophisticated espionage efforts, the hackers attempt to build a relationship with the victim in an effort to get them to open documents.

“As far back as November 2022, TAG has observed COLDRIVER sending targets benign PDF documents from impersonation accounts. COLDRIVER presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted,” TAG said.

“If the target responds that they cannot read the encrypted document, the COLDRIVER impersonation account responds with a link, usually hosted on a cloud storage site, to a ‘decryption’ utility for the target to use. This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving COLDRIVER access to the victim’s machine.”

The researchers said SPICA is the first custom malware whose development and use has been attributed to COLDRIVER. SPICA allows the hackers to steal cookies from Chrome, Firefox, Opera and Edge, and to upload, download, enumerate and exfiltrate documents.

SPICA was first seen in September 2023 but researchers said they believe the malware has been used since November 2022.

“While TAG has observed four different variants of the initial ‘encrypted’ PDF lure, we have only been able to successfully retrieve a single instance of SPICA,” they said.

“We believe there may be multiple versions of the SPICA backdoor, each with a different embedded decoy document to match the lure document sent to targets.”

Researchers said Google has tried to disrupt the campaign by adding all known domains and hashes to Safe Browsing blocklists.

Google said it has also sent “all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity” and warned them to enable Enhanced Safe Browsing for Chrome.

Google cited recent reports from Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in December that highlighted the group’s tactics, including the abuse of webmail addresses from Outlook, Gmail, Yahoo and Proton to target defense agencies, academia, governmental organizations, NGOs, think tanks and politicians.

Google’s TAG released a report in 2022 accusing COLDRIVER actors of targeting several U.S.-based NGOs, think-tanks, the military of a Balkan country and a Ukrainian defense contractor with credential phishing campaigns.

Two members of Center 18 — officers Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets — were charged by the U.S. Justice Department for their alleged role in targeting U.S. government and military officials as part of a hacking campaign also aimed at the United Kingdom, Ukraine and NATO.