A Russian hacker group known as Cold River or Calisto targeted three nuclear research laboratories in the United States last summer, Reuters reported.

According to the news agency, the hackers targeted the Argonne, Brookhaven and Lawrence Livermore National Laboratories using phishing emails that led to fake login pages designed to trick nuclear scientists into revealing their passwords. It’s not clear if these attacks were successful.

Spokespersons for Brookhaven and Lawrence Livermore National Laboratories declined to comment to Reuters. A spokesperson for the Argonne National Laboratory referred questions to the US Department of Energy which in turn declined to comment as well.

Cold River has escalated its hacking campaigns against Western allies of Ukraine following Russia's invasion on February 24, 2022. The attacks on the US nuclear labs occurred as UN experts entered Russian-held Ukrainian territories to inspect the Russian-occupied Zaporizhzhia nuclear plant, Europe's biggest atomic power plant, to asses the risk of a possible radiation accident caused by nearby heavy shelling.

The Cold River group, which is said to be involved in directly supporting Kremlin information operations, was first spotted in 2016 when it targeted Britain's Foreign Office. The threat actor mainly focuses on Western countries, especially the United States, and Eastern European countries. The group was observed carrying out phishing campaigns aiming at credential theft, targeting military and strategic research sectors such as NATO entities and a Ukraine-based defense contractor, as well as NGOs and think tanks. Additional victimology includes former intelligence officials, experts in Russian matters, and Russian citizens abroad.

Reuters was able to trace emails used by the group from 2015 to 2020 to an IT professional and body builder, Andrey Korinets, based in the Russian city of Syktyvkar. In an interview with Reuters, Korinets confirmed that he owned the relevant email accounts, but he denied any knowledge of Cold River.

A security engineer on Google's Threat Analysis Group, Billy Leonard, said Google had identified Korinets as being active in Cold River.

It is unclear whether Korinets has been involved in hacking operations since 2020. He offered no explanation of why these email addresses were used and did not respond to further phone calls and emailed questions, Reuters said.