One of Russia’s elite hacking teams has found a clever way to penetrate its targets.
Instead of the usual phishing emails designed to trick people into typing in their passwords, hackers affiliated with Moscow’s Federal Security Service started sending their victims PDF documents with text that appeared to be encrypted. If victims responded that they couldn’t read the document, the hackers would respond with a link to a downloadable tool for decrypting the text. But while that tool would appear to reveal the document’s message, it was actually malware, according to research that Google published on Thursday.
The newly revealed malware, dubbed “SPICA,” is the first piece of custom hacking software developed by this Russian cyber unit, which Google calls “Coldriver.” (Others in the cybersecurity industry have dubbed the gang “Star Blizzard.”) That malware discovery is significant: Google’s new report highlights how the Kremlin’s cyber army is increasingly turning to customized solutions and advanced trickery to bypass its victims’ defenses.
Since 2019, Coldriver has been at the forefront of Russia’s efforts to hack current and former military and intelligence officials, NATO governments and some non-governmental organizations. But since 2022, according to security experts, Coldriver has become more sophisticated, shifting tactics to evade detection and improve its effectiveness. It has sidestepped common techniques that defenders use to block cyberattacks, including by using email marketing services instead of its own servers, which security companies may already have their radars. In early 2023, Coldriver made headlines for targeting U.S. nuclear research laboratories.
For a group seeking to avoid the pitfalls that commonly trip up hackers, developing custom malware — bespoke code that is less likely to trigger alarms inside a victim’s computer network — is a natural next step.
Coldriver’s SPICA malware can steal sensitive personal data from web browsers, as well as create a map of a computer’s files and extract them to a hacker-controlled server, according to Google. Some of the malware’s functionality remains mysterious, including a command called “telegram.”
Google researchers first spotted SPICA in September 2023 but suspect Moscow had been using it for more than a year at that point.
“We believe there may be multiple versions of the SPICA backdoor, each with a different embedded decoy document to match the lure document sent to targets,” the researchers wrote.
As firewalls and malware detection software have become more sophisticated, some hackers have eschewed custom malware and begun designing attacks that rely on stealthily abusing existing software on their targets’ computers, a strategy known as “living off the land.” But the discovery of Russia’s SPICA malware demonstrates that custom code remains a potent tool — especially when used in combination with simple ruses like supposedly encrypted documents.
——————————————————–