In a telephone briefing on Thursday, a senior US official confirmed that Cold River had successfully hacked a department of energy employee.

Moscow said there was no evidence for allegations of the digital spying campaign, Russian agencies reported later on Thursday. Russia’s foreign ministry has previously dismissed Reuters reporting on Cold River as anti-Russian propaganda.

The group, which is also known as “Callisto” or “Star Blizzard”, first appeared on the radar of intelligence professionals after it targeted Britain’s foreign office in 2016. It was also behind the leak of private emails belonging to former British spymaster Richard Dearlove in 2022.

The Reuters report from January, which drew upon internet records and research from five cybersecurity experts, revealed that much of the digital infrastructure used by Cold River was set up by a 36-year-old IT worker named Andrey Korinets, in the northern Russian city of Syktyvkar.

Reached by phone on Thursday, Korinets, one of the two sanctioned FSB hackers, told Reuters he was unaware of any measures against him, or why such sanctions would have been initiated.

North Korean hackers ‘breach top Russian missile maker’

Cold River sits within the FSB’s “Centre 18”, one of two known cyber espionage units at the intelligence agency, Britain’s foreign office and the US justice department said.

Centre 18 is “supposed to be the FBI’s counterpart in fighting cybercrime”, the senior US official said. And yet, “you have a law enforcement agency using cyber offensive operations and leveraging a cybercriminal to aid in those efforts”.

The US treasury said Korinets conspired with FSB officer Ruslan Peretyatko, who was also sanctioned, to break into victims’ computer systems and in one case impersonate a retired US Air Force general in a bid to trick the targets into clicking on malicious links.

Korinets declined to answer further questions and telephone calls from Reuters. Calls to Peretyatko went unanswered.

A Western government official, speaking on condition of anonymity, said Cold River was still very active, and was part of Moscow’s “Active Measures”, intelligence-gathering ecosystem – a Cold War-era term used by the Soviet Union to describe covert political disinformation campaigns.

The group targets the personal email accounts of high-profile victims, Reuters found, including at least three former British intelligence officials.

“Because of the UK’s support for Ukraine we are in a state of ‘grey warfare’ with Russia; and the Russians will use every means at their disposal to attack British interests short of open conflict,” Richard Dearlove, the former head of Britain’s Secret Intelligence Service, or MI6, told Reuters.

FBI says it has disabled hacking tool created by Russia’s elite spies

Many of Cold River’s targets were vocally critical of Russia and its war in Ukraine. Stewart McDonald, a British lawmaker who has publicly supported Kyiv and for years spoken out against Russian interference, said in February that the group hacked his private emails

“Russia’s military intelligence service, the GRU, has received the lion’s share of the attention when it comes to election related activity, which is only natural given their history of serious incidents in the United States and France, but this actor is one to watch closely as elections near,” said John Hultquist, who heads threat analysis at Google’s Mandiant Intelligence.

The foreign office on Thursday said it was Cold River that leaked classified British-US trade documents in the run up to the 2019 British election.

“The FSB clearly has an interest in political interference, and hacked emails are a powerful tool,” Hultquist said.