National labs targeted in Russia-based phishing scheme, Reuters reports

Reuters reported that between August and September Cold River created fake login pages for each institution and then emailed lab employees hoping they would reveal their passwords on the fake websites. Reuters was unable to determine “why the labs were targeted or if any attempted intrusion was successful.”

The investigation: According to Reuters, Cold River first came to the attention of intelligence professionals after it targeted Britain's foreign office in 2016, and “has been involved in dozens of other high-profile hacking incidents in recent years, according to interviews with nine cybersecurity firms.”

Reuters traced email accounts used in hacking operations between 2015 and 2020 to an IT worker in the Russian city of Syktyvkar and showed its findings to five industry experts, who confirmed the involvement of Cold River in the attempted nuclear labs hacks, based on shared digital fingerprints that researchers have historically tied to the group.

Personal email addresses used to set up Cold River missions reportedly belong to Andrey Korinets, a 35-year-old IT worker and bodybuilder in Syktyvkar, about 1,600 km (1,000 miles) northeast of Moscow.

According to Reuters, “Cold River made several missteps in recent years that allowed cybersecurity analysts to pinpoint the exact location and identity of one of its members, providing the clearest indication yet of the group's Russian origin, according to experts from Internet giant Google, British defense contractor BAE, and U.S. intelligence firm Nisos.”

No comment: According to Reuters, several entities contacted by reporters either did not respond to a request for comment or declined to provide comments, including the three national laboratories, the DOE, the U.S. National Security Agency, the U.K. Global Communications Headquarters, the U.K. foreign office, Russia's Federal Security Service, and Russia's embassy in Washington, D.C.