COLDRIVER

coldriver · primary source: Other · first observed 2014

RU · RussiaState-sponsoredHigh confidencelast cited Dec 6, 2023 · 2y ago

Russian state-sponsored intrusion set publicly assessed by the UK NCSC and Five Eyes partners as 'almost certainly subordinate to FSB Centre 18'. Conducts targeted credential-phishing operations against UK and U.S. political figures, policy-NGOs, journalists, defense contractors, and academia, frequently using elaborate impersonation personas. The U.S. DOJ unsealed an indictment of FSB officer Ruslan Peretyatko and Andrey Korinets on 7 December 2023; the UK Foreign Office concurrently announced sanctions and public attribution.

Aliases

Star BlizzardMicrosoftSEABORGIUMMicrosoftCallisto GroupOtherTA446OtherBlueCharlieOther

Motivations

espionageinformation operations

Target sectors

governmentngoacademiadefensejournalism

Target countries

USGBUADEFRBEPL

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

COLDRIVER
Russia
espionage
information operations

Capability

Infrastructure

—

Victim

government
ngo
academia
US
GB
+1 more

MITRE ATT&CK techniques

T1566.001 T1056.003 T1078 T1078.004

Timeline

1 event

SanctionHigh2023-12-07·UK National Cyber Security Centre
UK NCSC + DOJ publicly attribute Star Blizzard to FSB Centre 18
The UK NCSC and Five Eyes partners issued a joint advisory assessing that COLDRIVER (Star Blizzard / Callisto / SEABORGIUM) is 'almost certainly subordinate to FSB Centre 18'. The UK Foreign Office concurrently sanctioned two named operators, and the U.S. DOJ unsealed an indictment of FSB officer Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets for spear-phishing campaigns against U.S., UK, NATO, and Ukrainian targets.
fsbspear-phishingfive-eyessanctions

Indicators of compromise

2 indicators

defangedcsv

Type	Value	First seen	Source
SHA-256	c97acea1a6ef59d58a498f1e1f0e0648d6979c4325de3ee726038df1fc2e831d family · SPICA SPICA - Rust backdoor delivered as 'Proton-decrypter.exe' in a fake PDF-decryption lure. Google Threat Analysis Group disclosed the sample on 18 January 2024 as the first custom malware they have attributed to COLDRIVER (Star Blizzard / Callisto / SEABORGIUM), assessed as FSB Centre 18.	Aug 31, 2023	Google TAG
Name	Star Blizzard (Callisto / SEABORGIUM) Long-running FSB Centre 18 spear-phishing cluster targeting academia, defence, NGOs and government in the UK, US and allied countries. NCSC UK and Five Eyes partners published a joint advisory on 7 December 2023; same day, US Treasury (OFAC) and UK sanctioned FSB officer Ruslan Peretyatko and Andrey Korinets for their role in the operation.	Dec 31, 2018	NCSC UK

Related actors

shared ATT&CK techniques

IR · IranAPT342 shared techniques
- T1078.004
- T1566.001
IR · IranAPT392 shared techniques
- T1078
- T1566.001
RU · RussiaDragonfly2 shared techniques
- T1078
- T1566.001
?? · UnknownALPHV/BlackCat1 shared technique
- T1078
KP · DPRKAndariel1 shared technique
- T1078
CN · ChinaAPT101 shared technique
- T1078.004

References

cite this page

Threat Intel Tracker. (2026-05-19). COLDRIVER — actor profile. Retrieved from https://threatintel.local/actors/coldriver

latest cited activity · 2023-12-07 · 2 cataloged indicators