Over the years, TAG has analyzed a range of persistent threats including COLDRIVER (also known as UNC4057, Star Blizzard and Callisto), a Russian threat group focused on credential phishing activities against high profile individuals in NGOs, former intelligence and military officers, and NATO governments. For years, TAG has been countering and reporting on this group’s efforts to conduct espionage aligned with the interests of the Russian government. To add to the community’s understanding of COLDRIVER activity, we’re shining light on their extended capabilities which now includes the use of malware.
COLDRIVER continues its focus on credential phishing against Ukraine, NATO countries, academic institutions and NGOs. In order to gain the trust of targets, COLDRIVER often utilizes impersonation accounts, pretending to be an expert in a particular field or somehow affiliated with the target. The impersonation account is then used to establish a rapport with the target, increasing the likelihood of the phishing campaign’s success, and eventually sends a phishing link or document containing a link. Recently published information on COLDRIVER highlights the group’s evolving tactics, techniques and procedures (TTPs), to improve its detection evasion capabilities.
Recently, TAG has observed COLDRIVER continue this evolution by going beyond phishing for credentials, to delivering malware via campaigns using PDFs as lure documents. TAG has disrupted the following campaign by adding all known domains and hashes to Safe Browsing blocklists.