U.S. and UK authorities have unleashed a slew of actions against the Callisto Group threat gang, accusing it of running a years-long espionage campaign against both nations on behalf of Russia’s intelligence service.
The accusations against the advanced persistent threat (APT) group include carrying out targeted attacks against organizations and individuals on both sides of the Atlantic and attempting to interfere in UK political processes.
The U.S. and UK governments say Callisto Group — also known as Seaborgium, Coldriver, Star Blizzard, TA446 and TAG-53 — is linked to Russia’s Federal Security Service (FSB), specifically its Center 18 cyberespionage unit.
Government sanctions have been imposed on two members of the group. The same individuals have been charged with a number of cybercrimes and the State Department is offering a reward of up to $10 million for information that helps apprehend members of the gang.
In a statement, the State Department said the gang targeted U.S.-based entities and individuals, including employees at Department of Energy facilities.
“The [sanctioned] conspirators also targeted UK officials, think tank researchers, and journalists, from whom certain information was leaked before the 2019 UK elections,” the State Department said.
The two men facing charges and sanctions are Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets (aka Alexey Doguzhiev). Both are members of Callisto Group and Peretyatko is also an intelligence officer in the FSB.
Meanwhile, the UK government summoned Russia’s ambassador “to express the UK’s deep concern” at the FSB’s prolonged espionage campaign.
“In sanctioning those responsible and summoning the Russian Ambassador today, we are exposing their malign attempts at influence and shining a light on yet another example of how Russia chooses to operate on the global stage,” UK Foreign Secretary David Cameron said in a statement.
Global spear-phishing campaigns targeted members of the government, media
According to a U.S. Treasury statement, FSB-sponsored global spear-phishing campaigns targeting email accounts of people in government, military, media and other organizations since 2016.
“The FSB’s spear-phishing campaigns have been designed to gain access to targeted email accounts, to maintain persistent access to the accounts and associated networks, and to obtain and potentially exfiltrate sensitive information to advance the Kremlin’s policy goals,” the statement said.
The campaigns included “hack-and-leak operations, where stolen and leaked information is used to shape narratives in targeted countries.”
In a joint cybersecurity advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and other U.S. and international agencies outlined the tactics and techniques Callisto Group used to hack into targets’ email accounts, and how it subsequently abused the access it gained.
“The activity is typical of spear-phishing campaigns, where an actor targets a specific individual or group using information known to be of interest to the targets,” the advisory said.
“Star Blizzard creates email accounts impersonating known contacts of their targets to help appear legitimate. They also create fake social media or networking profiles that impersonate respected experts and have used supposed conference or event invitations as lures.”
Once the email accounts were compromised, the threat group stole the contents of sensitive emails and contact lists, and was known to set up mail forwarding rules so it had ongoing access to victims’ communications.
Microsoft’s Threat Intelligence team published research on new techniques the threat group was using to evade detection. These included using server-side scripts to prevent automated scanning of its Evilginx server infrastructure.
The APT group used email marketing platform services to hide true email sender addresses and avoid the need to reveal details of the domain infrastructure they controlled in their email messages. The group also used a DNS provider to obscure the IP addresses of the virtual private server (VPS) infrastructure it controlled.
Anurag Gurtu, chief product officer at StrikeReady, said due to the sophistication and targeted nature of Callisto Group’s attacks, security teams should take the threat they posed seriously.
“[Their] evolution in evasion techniques highlights the need for both enterprise and individual vigilance in email security and underscores the importance of advanced security measures to counter sophisticated cyber threats,” Gurtu said.
Mandiant Intelligence chief analyst John Hultquist said Callisto Group’s recent political interference activity was an interesting development that suggested the FSB may be moving into an area of activity previously dominated by Russia's military intelligence service, the GRU.
“[Until now] the GRU has received the lion’s share of the attention when it comes to election related activity, which is only natural given their history of serious incidents in the U.S. and France, but this actor is one to watch closely as elections near,” Hultquist said. “The FSB clearly has an interest in political interference, and hacked emails are a powerful tool.”
