Attackers targeted the U.K.'s Foreign Office with a spear-phishing campaign believed to have begun in April 2016.
It's unknown at this point whether the cybercriminals behind the campaign – said to be the Callisto Group – managed to siphon out any data, according to the U.K.'s National Cyber Security Centre. However, an unnamed source told the BBC that the network does not store the most sensitive data used by the Foreign and Commonwealth Office (FCO), an agency of the U.K. government that safeguards the nation's national security.
According to a whitepaper from F-Secure released on Thursday, the incursion was a spear-phishing campaign, a common method used by cyberthieves in which emails target specific individuals. The incoming message seems legitimate as it's been customized to appear to be coming from a familiar source. However, recipients are duped into clicking on a malicious link or providing their username and password.
In this campaign, a number of links in the emails appeared to come from sites associated with the Foreign Office.
The report, written by Sean Sullivan, a security adviser at F-Secure Labs, said the domains were created by hackers F-Secure dubbed the Callisto Group, a criminal enterprise that the cybersecurity firm said has been around since 2015 but has yet to be unmasked. Their aim, Sullivan said, is stealing intelligence regarding European foreign and security policy from military personnel, government officials, think tanks and journalists, primarily in Eastern Europe, the South Caucasus, Ukraine and the U.K.
Previous campaigns were clever, Sullivan explained, in targeting specific individuals with highly crafted emails that appeared convincing, some disguised as Google alerts, others seemingly arrived from email accounts of individuals likely known to the recipient. For example, one email campaign which referenced a conference in Europe focused on security policy, appeared to come from organizers of the conference.
"We are currently not aware of any evidence suggesting any of these individuals were compromised, just that they were targeted," the study found.
The malicious attachments delivered in these spear phishing emails were Microsoft Word .docx files, in which malware executables were embedded. If clicked, the link delivers an iteration of Scout, a malware tool from the HackingTeam RCS Galileo platform.
HackingTeam, Sullivan explained, is the Italian software company behind RCS, described as “the hacking suite for governmental interception.” The source code and ready-made installers for that tool were leaked to the public following a breach of the company,
Based on its analysis, the F-Secure team reported that it believed the Callisto Group did not, in fact, make use of the actual leaked RCS Galileo source code, but rather used the leaked ready-made installers to set up its own installation of the RCS Galileo platform. An easy task, Sullivan said, as the RCS Galileo installation process is available freely on blogs.
The Scout malware tool is a "light backdoor intended to be used as an initial reconnaissance tool to gather basic system information and screenshots from a compromised computer, as well as enable the installation of additional malware," the report explained.
Once infected, a computer would send data to the attackers. Scout also enabled the Callisto Group to install further malware on victim machines, essentially enabling the cyberthieves to gain full access to the device, including all the data stored on it.
The report concluded that it's apparent that the Callisto Group is intent on gathering intelligence related to European foreign and security policy. The study ruled out financial motives, though Sullivan did detect a connection between "infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances." The inference is that Callisto has ties with criminal elements. But, perhaps more ominous is the group's targeting, which the report concluded indicated a nation-state "with specific interest in the Eastern Europe and South Caucasus regions."
The "infrastucture," Sullivan said, contained links to Russia, Ukraine, and China "in both the content hosted on the infrastructure, and in WHOIS information associated with the infrastructure."
The Callisto Group continues to be active, he stated, deploying new phishing infrastructure every week.
Two-factor authentication for accessing email is a deterrent to the Callisto Group's strategies, said the F-Secure report.