The USA and UK government announced sanctions against two Russian nationals, Ruslan Peretyatko and Andrey Korinets, accused to be actively involved into CALISTO operations.
One year ago, on 6 January 2023, Sekoia.io distributed to our customers a FLINT about our findings on Andrey Korinets.
This investigation began when a trusted source contacted Sekoia.io TDR analysts regarding our previous publication on CALISTO, informing us about a possible link between a known infrastructure used by CALISTO and Andrey Korinets.
Sekoia.io conducted further technical investigation that confirmed an existing relation from at least 2015 to 2020 between CALISTO and Korinets.
When Reuters published about Andrey Korinet, we sent our investigation to our CTI customers.
We are now publishing our technical investigation that concurs Reuters' and the UK-USA's designation of Andrey Korinet.
Following the intelligence on Korinets provided by a trusted source, SEKOIA.IO conducted research on a former CALISTO infrastructure, allowing us to identify several email addresses used by Andrey Korinets associated with it.
This former CALISTO infrastructure was used to conduct phishing campaigns from at least 2015 and up to 2020, when new domains were allegedly used to target several Ukrainian and United Kingdom entities, such as the British Parliament and the Cambridge University.
Emails associated with Korinets can be retrieved in historical WHOIS records and SSL certificates associated with CALISTO infrastructure.
It is worth mentioning that the same infrastructure was also used by Korinets to host his own websites, including online shops selling steroids, which matches its personal interests as described in Reuters' article.
According to our contact, two email addresses were allegedly owned and used by Korinets.
Co which present the same pattern as recent CALISTO domains such as eu-office365[.
Three of the previously mentioned phishing domain names resolved the IP address 37.1.206[.]114, which was resolved at the same time by another domain name linked to another email address, namely icloud-service[.
Pw, which was resolving the IP address 139.162.145[.]184, resolved by several domains associated to Korinets online steroids shop activities based on their historical WHOIS records, such as muscle[.
Ru is quite interesting as it is associated to another certificate linked to the IP address 95.171.17[.]36 and the domain name serv[.
The IP address 95.171.17[.]36 was resolved in 2020 by two domain names, and dozens of their subdomains, targeting onlines services as well as the UK Parliament and the Cambridge University.
This email address is present on several Russian offers websites in the Komi region of which Korinets is assessed to originate from, but without a good visibility on the real owner identity.
With this infrastructure investigation, we demonstrated that a Russian individual, whose name was disclosed by Reuters, did in fact register phishing domains used by the CALISTO intrusion set to conduct at least a phishing campaign targeting UK entities, including the Parliament.
Questions now arise whether Korinets knew he was colluding with Calisto operators and/or with Russian intelligence.
Korinets - CALISTO relation may have ended in 2020, as SEKOIA.IO did not find any technical links afterwards.
This Cyber News was published on blog.sekoia.io. Publication date: Wed, 13 Dec 2023 15:13:37 +0000