The shadowy world of cyber espionage has a new player on the field: a sneaky piece of malware dubbed “LostKeys.” According to Google, a Russian state-backed malware crew known as COLDRIVER has been using LostKeys since the start of the year to snoop on Western governments, journalists, think tanks, and non-governmental organizations.

COLDRIVER isn’t exactly a new kid on the block. Back in December, the UK and its “Five Eyes” intelligence allies pointed the finger at them. The hacking group was directly linked to Russia’s Federal Security Service (FSB), which is basically their counterintelligence and internal security bigwig.

Google discloses LostKeys, a malware linked to Russia

Google’s Threat Intelligence Group (GTIG) first spotted LostKeys in January. It seems COLDRIVER has been deploying it in very targeted “ClickFix” attacks. Think of these as digital con jobs where they trick people into running dodgy PowerShell scripts. Basically, ClickFix attacks are based on classic social engineering.

Once those scripts are running, they pave the way for even more PowerShell nastiness to be downloaded and executed. Their main goal is the installation of LostKeys, which Google has identified as a Visual Basic Script (VBS) data theft malware. According to GTIG’s report, LostKeys is like a “digital vacuum cleaner” that extracts specific files and directories. It also sends system info and runs processes back to the attackers.

COLDRIVER’s usual MO involves stealing login details to pilfer emails and contacts. However, they’ve also been known to deploy another malware called SPICA for grabbing documents and files. LostKeys seems to be serving a similar purpose, but it’s only brought out for those “highly selective cases.” This suggests that it’s a more specialized tool in COLDRIVER’s espionage toolkit.

Interestingly, COLDRIVER isn’t the only state-sponsored group dabbling in these ClickFix attacks. The cyber underworld is apparently a fan of this tactic, with groups linked to North Korea (Kimsuky), Iran (MuddyWater), and even other Russian actors (APT28 and UNK_RemoteRogue) all using similar methods in their recent spying campaigns.

COLDRIVER operating since 2017

COLDRIVER is also known by a few other aliases, like Star Blizzard and Callisto Group. It has been honing their social engineering and open-source intelligence skills to trick targets since at least 2017. Their targets have ranged from defense and government organizations to NGOs and politicians. The group’s attacks have been increasing, especially after Russia’s invasion of Ukraine, even expanding to defense-industrial sites and US Department of Energy facilities.

The US State Department has even slapped sanctions on a couple of COLDRIVER operatives (one reportedly an FSB officer). Currently, US authorities are offering a hefty $10 million reward for any tips that could help track down other members. This reflects the level of seriousness with which the US is taking the group.