Callisto is an advanced persistent threat actor that has been active since late 2015 and has been attributed to Russia's 'Centre 18' division of the Federal Security Service.
Last year, Microsoft's threat analysts disrupted a group's attack targeting various European NATO countries by deactivating the threat actor's Microsoft accounts used for surveillance and email collection.
In January this year, NCSC warned about Callisto's attacks, underlining the group's open-source intelligence and social engineering skills.
Today, the United Kingdom officially attributed attacks to Callisto that led to the leaking of UK-US trade documents, the 2018 hack of the UK think tank Institute for Statecraft, and more recently, the hack on StateCraft's founder Christopher Donnelly.
The UK says the group is behind credential and data theft attacks against parliamentarians from multiple political parties, universities, journalists, the public sector, non-government organizations, and other civil society organizations.
In a bulletin published today, the UK's NCSC says Callisto remains focused on launching spear-phishing attacks targeting the country's governmental organizations, think tanks, politicians, defense-industrial units, and various NGOs.
After building rapport with the target over time, Callisto sends a malicious link embedded in a PDF document hosted on Google Drive or OneDrive, which takes the target to a phishing site.
The phishing operation is backed by the open-source EvilGinx proxy attack framework that steals both user credentials and session cookies.
This allows Callisto to bypass two-factor authentication when logging in with the stolen credentials.
Next, the attackers use the stolen information to access the victim's email account, analyze their inbox, and set up forwarding rules that give them ongoing access to the victim's future communications.
At this final stage, Callisto operators identify and engage in any lateral phishing opportunities, using their access to the victim's inbox to hit other key targets.
Defending against the Callisto threat and any spear-phishing attack requires a multi-faceted approach, including using phishing-resistant MFA methods like hardware keys, implementing strict conditional access policies, and monitoring for abnormal activity.
Sanctioned by the US and UK. An international law enforcement consisting of agencies from the UK, US, Australia, Canada, and New Zealand has identified two members of the Callisto hacking group.
The two are considered directly responsible for Callisto operations targeting multiple UK organizations, some resulting in unauthorized access and exfiltration of sensitive data.
As part of today's announcement, both the UK and the US have sanctioned the two members for attempting to undermine the UK's democratic process.
The US government's Rewards for Justice program also offers a $10 million reward for information on Callisto's group members and their activities.
FSB arrests Russian hackers working for Ukrainian cyber forces.
LinkedIn Smart Links attacks return to target Microsoft accounts.
Russian hackers exploiting Outlook bug to hijack Exchange accounts.
Microsoft fixes Outlook zero-day used by Russian hackers since April 2022.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 07 Dec 2023 16:40:12 +0000