Cyber Incident Victim: Argonne National Laboratory
Date:
Aug 2022
Location:
United States of America
Summary
Russian hackers known as Cold River targeted a U.S. national laboratory along with two other nuclear research facilities using phishing campaigns that impersonated legitimate login pages to steal scientists' credentials. The attacks coincided with heightened nuclear tensions and international inspections at a Ukrainian power plant, though the success of the intrusions remains unclear. The group, linked to Kremlin-aligned espionage, has previously compromised Western government entities and leaked confidential communications, while also mimicking NGOs investigating Russian war crimes. Security researchers attribute the activity to Cold River based on consistent digital fingerprints and its history of supporting Russian information operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between August and September 2022, the Russian state-aligned hacking group Cold River targeted Argonne National Laboratory (ANL) alongside Brookhaven and Lawrence Livermore National Laboratories in a coordinated cyber-espionage campaign. The hackers created counterfeit login pages mimicking legitimate portals for these nuclear research institutions and sent phishing emails to scientists in an attempt to harvest credentials. This activity coincided with Russian President Vladimir Putin’s public statements about potential nuclear weapon use to defend Russian territory and occurred during a period when United Nations experts were inspecting the Russian-occupied Zaporizhzhia Nuclear Power Plant in Ukraine amid shelling-related safety concerns. Internet records reviewed by Reuters confirmed the targeting campaign, with five independent cybersecurity experts corroborating Cold River’s involvement based on distinctive digital fingerprints historically associated with the group. The U.S. Department of Energy, overseeing all three laboratories, declined to comment when contacted about the incidents. ANL referred inquiries to the Department of Energy, while Brookhaven’s spokesperson declined comment and Lawrence Livermore did not respond to requests.
Cold River’s operations against the laboratories formed part of a broader escalation in cyber-espionage activities against Ukraine’s allies following Russia’s invasion. The group employed domain names resembling legitimate services like Google and Microsoft, including "goo-link.online" and "online365-office.com," to host credential-harvesting infrastructure. This mirrored tactics observed in other Cold River campaigns, such as their May 2022 breach of emails belonging to the former head of Britain’s MI6 and their registration of domains impersonating European NGOs investigating Russian war crimes in Ukraine. Security researchers confirmed Cold River’s persistent use of spear-phishing and fake authentication pages to compromise targets, though no evidence indicated successful intrusions at the nuclear laboratories. The National Security Agency and Britain’s GCHQ declined to comment on Cold River’s activities. The incident occurred against a backdrop of documented Russian cyber operations targeting critical infrastructure and geopolitical adversaries, though Moscow consistently denied involvement in hacking campaigns.