The UK National Cyber Security Centre (NCSC) and Microsoft have issued a warning about the Russian state-backed entity known as "Callisto Group" (also referred to as "Seaborgium" or "Star Blizzard"). The group have been found to be actively engaging in spear-phishing campaigns globally, aiming to pilfer account credentials and sensitive data from targeted organisations.
Operating as an advanced persistent threat actor (APT) since late 2015, Callisto has been linked to Russia's 'Centre 18' division within the Federal Security Service (FSB).
In previous years, Microsoft's threat analysts stopped an attack by this group against several European NATO countries. This intervention involved deactivating the threat actor's Microsoft accounts, which were utilised for surveillance and email collection. Microsoft identified and reported 69 domains associated with the group's phishing campaigns, leading to the shutdown of these sites.
In January of this year, the NCSC issued a warning regarding Callisto's attacks, emphasising the group's expertise in open-source intelligence (OSINT) and social engineering tactics.
The UK has claimed that the group is responsible for cyber assaults involving the theft of credentials and data against parliamentarians from multiple political parties, universities, journalists, the public sector, non-governmental organisations, and various civil society entities.
A press statement from the UK states, "The Foreign, Commonwealth, and Development Office have summoned the Russian Ambassador to express the UK's profound concern regarding Russia's persistent efforts to employ cyber means to interfere in political and democratic processes in the UK and beyond."
Callisto’s latest activities
The NCSC says Callisto remains focused on launching spear-phishing attacks targeting the country's governmental organisations, think tanks, politicians, defence-industrial units, and various NGOs.
"This advisory raises awareness of the spear-phishing techniques Star Blizzard uses to target individuals and organisations. This activity is continuing through 2023," warns the NCSC.
The attackers source key information from social media platforms like LinkedIn and then approach their targets by emailing personal addresses that are less likely to be monitored by enterprise security software.
After building rapport with the target over time, Callisto sends a malicious link embedded in a PDF document hosted on Google Drive or OneDrive, which takes the target to a phishing site.
Illegitimate domains host phishing sites that specifically target Microsoft, Yahoo, and other email platforms. These sites frequently employ CAPTCHA protection to distinguish and block bots, creating an added layer of apparent legitimacy.
The phishing campaign is supported by the EvilGinx proxy attack framework, an open-source tool designed to steal both user credentials and session cookies. This enables Callisto to bypass two-factor authentication when accessing accounts with the illicitly obtained login details.
The assailants leverage the data to infiltrate the victim's email account, scrutinise their inbox, and establish forwarding rules that provide continuous access to the victim's future communications.
In this concluding phase, operators from Callisto identify and exploit any lateral phishing opportunities, capitalising on their entry into the victim's inbox to target additional key individuals.
Microsoft, in a recent report, has outlined new techniques, tactics, and procedures adopted by the threat actor since April 2023:
Implementation of server-side scripts to impede automated scanning of the malicious infrastructure.
Utilisation of email marketing platform services like HubSpot and MailerLite to obfuscate genuine email addresses.
Deployment of a DNS provider to conceal the IP addresses of the VPS infrastructure.
Adoption of a domain generation algorithm (DGA) for enhanced evasion and resilience against blocks.
Effectively countering the Callisto threat and any spear-phishing endeavours necessitates a comprehensive strategy. This includes the incorporation of phishing-resistant multi-factor authentication (MFA) methods such as hardware keys, the enforcement of rigorous conditional access policies, and vigilant monitoring for unusual activities.
Consequences of Callisto’s actions
An international law enforcement coalition comprising agencies from the UK, US, Australia, Canada, and New Zealand has successfully identified two individuals affiliated with the Callisto hacking group.
These individuals are Aleksandrovich Peretuatko, suspected to be an intelligence officer associated with FSB Center 18, and Andrey Stanislavovich Korinets, also known as "Alexey Doguzhiev."
Both Peretuatko and Korinets are directly implicated in Callisto operations that targeted numerous UK organisations, resulting in unauthorised access and the extraction of sensitive data.
In an announcement, both the UK and the US have imposed sanctions on the two individuals for their involvement in attempting to undermine the democratic processes in the UK. The US Department of Justice has additionally indicted them for engaging in "malign influence operations designed to impact the U.K.’s 2019 Elections."
