Cyber Incident Victim: Brookhaven National Laboratory
Date:
Aug 2022
Location:
United States of America
Summary
Russian hackers known as Cold River targeted Brookhaven National Laboratory and two other U.S. nuclear research facilities with phishing campaigns, creating fake login pages to steal scientists' credentials. The attacks coincided with heightened nuclear tensions and international inspections at a Ukrainian power plant. While the success of these attempts remains unclear, the group has escalated operations against Western entities since Russia's invasion of Ukraine, employing domain spoofing tactics mimicking legitimate services like Google and Microsoft. Cold River, linked to Kremlin-aligned espionage, has previously compromised European NGOs investigating war crimes and leaked confidential communications from Western governments and officials. The U.S. Department of Energy declined to comment on the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between August and September 2022, Russian state-linked hacking group Cold River targeted Brookhaven National Laboratory (BNL) alongside Argonne and Lawrence Livermore National Laboratories in a coordinated cyber-espionage campaign. The attacks occurred as Russian President Vladimir Putin publicly referenced potential nuclear weapon use, coinciding with United Nations inspections at Ukraine's Zaporizhzhia nuclear power plant during active combat. Cold River employed credential-harvesting techniques by creating counterfeit login pages mimicking legitimate laboratory authentication systems and sending phishing emails to nuclear scientists affiliated with the institutions. These emails attempted to trick researchers into revealing their account credentials through deceptive login portals. Internet records reviewed by cybersecurity experts confirmed Cold River's infrastructure was used to register domain names and deploy phishing infrastructure specifically targeting these three U.S. nuclear research facilities. Reuters identified the campaign through technical evidence showing digital fingerprints historically associated with Cold River operations.
The incident formed part of Cold River's broader escalation against Western targets following Russia's invasion of Ukraine, including parallel operations against European NGOs investigating Russian war crimes in Ukraine. Five independent cybersecurity firms corroborated Cold River's involvement based on shared infrastructure, tactics, and historical patterns matching previous campaigns. The group maintained operational consistency by using lookalike domains such as "goo-link.online" to impersonate legitimate services like Google. While the article confirmed the targeting methodology and timing, Reuters found no evidence confirming successful breaches at any of the three laboratories or data exfiltration. Brookhaven National Laboratory declined to comment on the incident when contacted, while the U.S. Department of Energy, overseeing all three facilities, also declined to provide information regarding potential compromises or response measures. The attacks occurred without public attribution from U.S. intelligence agencies, as both the NSA and Britain's GCHQ declined to comment on Cold River's activities when approached by Reuters.