Google has uncovered a new piece of malware called LOSTKEYS, attributed to the Russian government-backed threat group Cold River (also known as UNC4057, Star Blizzard, and Callisto). The group is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker. LOSTKEYS marks a new development in the toolset of Cold River, a group primarily known for credential phishing against high-profile targets like NATO governments, non-governmental organizations (NGOs), and former intelligence and diplomatic officers.
More info can be found here. https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos
Erich Kron, security awareness advocate at cybersecurity firm KnowBe4, commented:
“There can be no doubt that intelligence gathering and cyber warfare is taking place at the nation-state level and will probably do so for the foreseeable future. This is simply the digital version of a spy sneaking in a micro camera and taking pictures of sensitive information and then providing it to whomever they work for. While these attacks are targeting mostly non-governmental organizations (NGOs), many of them do have ties to government agencies and could have information useful to that government’s adversaries.
“Because it seems they prefer tactics such as social engineering through email phishing, organizations should ensure that they have a well implemented human risk management (HRM) program in place that includes training and education to help employees fend off social engineering attacks.”
The human element is always the weakest point. Thus improving that would go a long way in terms of heading off attacks.
UPDATE: Another comment has come in from Darren Siegel, Lead Sales Engineer at Outpost24:
“This is yet another example showing that credential theft is an ongoing area of risk, as even the strongest passwords can be captured by this kind of malware attack. While obviously the ideal outcome here would be to prevent such attacks from occurring in the first place, it underscores the need for organizations to implement continuous monitoring for compromised credentials, ideally using tools that are informed by threat intelligence that can quickly identify and respond to new breaches.”
Related
This entry was posted on May 7, 2025 at 3:30 pm and is filed under Commentary with tags Google. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Google Uncovers New LOSTKEYS Malware Linked to Russia-Based Hacker
Google has uncovered a new piece of malware called LOSTKEYS, attributed to the Russian government-backed threat group Cold River (also known as UNC4057, Star Blizzard, and Callisto). The group is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker. LOSTKEYS marks a new development in the toolset of Cold River, a group primarily known for credential phishing against high-profile targets like NATO governments, non-governmental organizations (NGOs), and former intelligence and diplomatic officers.
More info can be found here. https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos
Erich Kron, security awareness advocate at cybersecurity firm KnowBe4, commented:
“There can be no doubt that intelligence gathering and cyber warfare is taking place at the nation-state level and will probably do so for the foreseeable future. This is simply the digital version of a spy sneaking in a micro camera and taking pictures of sensitive information and then providing it to whomever they work for. While these attacks are targeting mostly non-governmental organizations (NGOs), many of them do have ties to government agencies and could have information useful to that government’s adversaries.
“Because it seems they prefer tactics such as social engineering through email phishing, organizations should ensure that they have a well implemented human risk management (HRM) program in place that includes training and education to help employees fend off social engineering attacks.”
The human element is always the weakest point. Thus improving that would go a long way in terms of heading off attacks.
UPDATE: Another comment has come in from Darren Siegel, Lead Sales Engineer at Outpost24:
“This is yet another example showing that credential theft is an ongoing area of risk, as even the strongest passwords can be captured by this kind of malware attack. While obviously the ideal outcome here would be to prevent such attacks from occurring in the first place, it underscores the need for organizations to implement continuous monitoring for compromised credentials, ideally using tools that are informed by threat intelligence that can quickly identify and respond to new breaches.”
Share this:
Like this:
Related
This entry was posted on May 7, 2025 at 3:30 pm and is filed under Commentary with tags Google. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.