Cyber Incident Victim: Lawrence Livermore National Laboratory
Date:
Aug 2022
Location:
United States of America
Summary
A Russian state-aligned hacking group known as Cold River targeted Lawrence Livermore National Laboratory alongside other U.S. nuclear research facilities in a credential theft campaign, deploying spoofed login pages and phishing emails to compromise scientists' accounts. The operation coincided with heightened nuclear tensions and international inspections at Ukrainian power plants, reflecting the group's pattern of supporting Kremlin strategic interests through cyberespionage. While the specific impact on the laboratory remains undetermined, the incident aligns with Cold River's broader activities against Western entities, including war crimes investigators and government agencies, employing deceptive domains mimicking legitimate services to harvest credentials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between August and September 2022, the Russian state-aligned hacking group Cold River conducted a cyber espionage campaign targeting three U.S. nuclear research laboratories: Brookhaven National Laboratory (BNL), Argonne National Laboratory (ANL), and Lawrence Livermore National Laboratory (LLNL). The attacks occurred during a period when Russian President Vladimir Putin publicly signaled willingness to deploy nuclear weapons in defense of Russian territory. Cold River operatives created counterfeit login pages mimicking legitimate authentication portals for each institution and sent phishing emails to nuclear scientists affiliated with the laboratories in attempts to harvest credentials. Internet records documented these activities, though investigators could not confirm whether any intrusion attempts succeeded or identify specific motivations beyond the broader targeting of nuclear research infrastructure. The U.S. Department of Energy, overseeing all three laboratories, declined to comment on the incidents when contacted by Reuters. Brookhaven's representatives also declined comment, while Lawrence Livermore did not respond to inquiries.
Cold River's targeting of U.S. nuclear facilities formed part of an escalation in cyber operations against Ukraine's Western allies following Russia's 2022 invasion. The group, active since at least 2015 and linked by Reuters to an IT worker in Syktyvkar, Russia, has historically focused on high-value diplomatic and governmental targets. Cybersecurity researchers from five independent firms confirmed Cold River's involvement in the laboratory attacks through analysis of shared digital fingerprints consistent with the group's known tactics. These include domain spoofing techniques using deceptive URLs like "goo-link.online" and "online365-office.com" to mimic legitimate services from Google and Microsoft. Parallel operations during 2022 included hack-and-leak campaigns against former MI6 leadership in Britain, war crimes investigation NGOs in Europe, and security institutions in Poland and Latvia. The laboratory attacks coincided with United Nations inspections at Ukraine's Zaporizhzhia Nuclear Power Plant amid combat operations raising radiological risks, though no direct operational connection between these events was established. Russian authorities, including the Federal Security Service (FSB) and embassy officials, did not respond to requests for comment regarding Cold River's activities or alleged state sponsorship.