Menu
Browse

Cyber Threat Actor: Cold River

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Nation State
Russia
4 incidents
Profile

Cold River, also known as Calisto, is a threat actor traced to Russia. Public reporting links the group to Kremlin-aligned espionage activities. The actor has been observed since at least 2016, when it targeted the United Kingdom's foreign office. The alias Calisto appears in some threat intelligence reports alongside the primary designation Cold River.

Cold River primarily targets governmental and research institutions in Western countries, with a focus on nuclear laboratories, diplomatic entities, and organizations investigating war crimes. Its operations are described as supporting Russian information operations and strategic objectives rather than financial gain. The group seeks to gather credentials and exfiltrate communications to enable disinformation campaigns. The targeting of nuclear research facilities coincided with heightened geopolitical tensions surrounding Ukraine.

The actor's typical tactics involve phishing emails that direct victims to spoofed login pages mimicking legitimate services such as Google and Microsoft. These domains are registered to closely resemble authentic URLs, facilitating credential harvesting. In addition to credential theft, Cold River conducts hack and leak operations, publishing stolen emails to influence public narratives. Security researchers attribute these activities to Cold River based on consistent digital fingerprints observed across multiple incidents.

Notable publicly reported campaigns include the August‑September 2022 phishing effort against Brookhaven, Argonne and Lawrence Livermore National Laboratories, the April 2022 leak of private emails from prominent Brexit campaigners, and the 2016 intrusion into the UK foreign office. The group has also repeatedly targeted non‑governmental organizations that investigate alleged Russian war crimes, using similar domain‑spoofing techniques. These actions align with the group's pattern of leveraging stolen information to support broader disinformation efforts.

Incidents
Attributed incidents available to members
4 incidents
Sources
Sources available to members
1 source