December 7, 2023 at 11:40AM
The UK and US warn of Russian state-aligned Callisto Group’s global spear-phishing attacks targeting data and credentials. Active since 2015, Callisto employs sophisticated social engineering and cyber tactics, recently shifting techniques to evade detection. Two group members have been sanctioned for undermining UK democracy.
Meeting Takeaways:
1. The Russian state-backed Callisto Group has been targeting organizations worldwide with spear-phishing campaigns.
2. Callisto, linked to Russia’s FSB’s Centre 18 division, has been active since 2015 and specializes in account and data theft.
3. Microsoft disrupted a Callisto cyberattack on European NATO countries by deactivating their Microsoft accounts and reporting phishing domains.
4. The UK’s NCSC highlighted Callisto’s OSINT and social engineering skills in January and reiterated their ongoing spear-phishing activities in their latest bulletin.
5. Callisto has been officially attributed by the UK to high-profile cyber incidents including the leak of UK-US trade documents and hacks against political and civil society figures.
6. The UK’s NCSC reports that Callisto’s current modus operandi involves using personalized emails and malicious PDFs on file-sharing platforms to steal credentials and circumvent two-factor authentication.
7. After gaining access to victim’s emails, Callisto sets up forward rules and potentially engages in lateral phishing within the victim’s network.
8. Microsoft noted new tactics by Callisto post-April 2023, including script use to block scans, employing marketing platforms for email disguise, DNS services to hide IP addresses, and domain generation algorithms for evasion.
9. Defense against Callisto involves phishing-resistant MFA, strict access policies, and monitoring for abnormal activities.
10. Two Callisto members, Aleksandrovich Peretuatko and Andrey Stanislavovich Korinets, have been sanctioned by the UK and the US for attacks intended to undermine democratic processes.
11. The US offers a $10 million reward for information on Callisto’s group members and activities through the Rewards for Justice program.
12. The Russian Ambassador has been summoned by the UK to express concerns about Russia’s cyber interference efforts.
Recommendations:
– Organizations should use phishing-resistant MFA, like hardware keys, and implement conditional access policies.
– There should be increased monitoring for any abnormal activities within networks.
– Information sharing among international law enforcement agencies should continue to track and sanction individuals linked to these attacks.
– Public and private sector entities should be aware of the described spear-phishing techniques and stay vigilant for related attacks.