Over time, TAG has investigated a variety of persistent threats, including COLDRIVER, also known as UNC4057, Star Blizzard, and Callisto. This Russian threat group has concentrated on credential phishing activities aimed at high-profile individuals in non-governmental organizations (NGOs), former intelligence and military officers, and NATO governments. TAG has been countering and reporting on this group’s efforts to conduct espionage aligned with the interests of the Russian government. To enhance the community’s understanding of COLDRIVER’s activity, we are shedding light on their expanded capabilities, which now include the use of malware.
COLDRIVER remains focused on credential phishing against Ukraine, NATO countries, academic institutions, and NGOs. In order to gain the trust of targets, COLDRIVER often uses impersonation accounts, pretending to be an expert in a particular field or somehow affiliated with the target. The impersonation account is then used to establish a rapport with the target, increasing the likelihood of the phishing campaign’s success, and eventually sends a phishing link or document containing a link. Recently published information on COLDRIVER highlights the group’s evolving tactics, techniques, and procedures (TTPs) to improve its detection evasion capabilities.
Recently, TAG has observed COLDRIVER continuing this evolution by moving beyond phishing for credentials to delivering malware via campaigns using PDFs as lure documents. TAG has disrupted the following campaign by adding all known domains and hashes to Safe Browsing blocklists.