Cyber Threat Actor: Andrey Korinets
| Actor Type | Location | Known Incidents |
Nation State
|
Russia
|
2 incidents |
|---|
Profile
The threat actor known publicly as Cold River is also associated with the alias Andrey Korinets and is believed to operate from Russia. Open source reporting describes Cold River as a Russian state‑aligned hacking group that conducts cyberespionage in support of Kremlin interests. The actor has been linked to a series of credential‑theft operations targeting Western institutions. Its activities are characterized by the use of deceptive domains that mimic legitimate online services.
Cold River’s typical targets include nuclear research laboratories, government agencies, and non‑governmental organizations that investigate war crimes. The group focuses on sectors such as advanced scientific research and public administration, primarily in the United States and Europe. Its strategic objective is espionage that supports Kremlin geopolitical goals. Credential harvesting is the primary means by which the actor seeks to obtain access to sensitive networks.
Observed tactics involve sending phishing emails that contain links to spoofed login pages designed to harvest usernames and passwords. The actor frequently employs domain spoofing techniques that imitate well‑known services such as Google and Microsoft to increase the credibility of the lures. No specific malware families have been publicly associated with these campaigns in the available reporting. The observed tooling consists primarily of social engineering techniques and credential theft.
Attribution to the Russian state is supported by the group’s consistent alignment with Kremlin strategic interests and its previous compromise of European NGOs investigating war crimes. In one representative operation dated August 2022, Cold River targeted Lawrence Livermore National Laboratory and Brookhaven National Laboratory alongside other U.S. nuclear research facilities, using fake login pages to attempt to steal scientists’ credentials. The same reporting notes that the group has previously leaked confidential communications from Western governments and officials. These activities illustrate a pattern of espionage‑focused operations that serve Russian state priorities.
