The Callisto APT group targeted government officials, military personnel, journalists and think tanks since at least 2015.
F-Secure is still investigating the case, the experts of the company reported that the Callisto Group’s infrastructure has links with entities in China, Russia, and Ukraine.
The researchers speculate the attacker is a nation-state actor:
“It is worth noting that during our investigation we uncovered links between infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances.” reads the report published by F-Secure. “While the targeting would suggest that the main benefactor of the Callisto Group’s activity is a nation state with a specific interest in the Eastern Europe and South Caucasus regions, the link to infrastructure used for the sale of controlled substances hints at the involvement of a criminal element. Finally, the infrastructure associated with the Callisto Group and related infrastructure contain links to at least Russia, Ukraine, and China in both the content hosted on the infrastructure, and in WHOIS information associated with the infrastructure.”
The Callisto APT Group was involved in highly targeted phishing attacks using a malware that is a variant of the Scout tool from the RCS Galileo developed by the surveillance firm HackingTeam.
The code of the surveillance tool was leaked online after hackers broke into the Hacking Team network. F-Secure experts believe the Callisto Group did not utilize the leaked RCS Galileo source code, but rather attackers used the leaked readymade installers to set up their own installation of the RCS Galileo platform.
“The process for using the leaked installers to set up an RCS Galileo installation has been described online in publicly available blog posts, making the process trivial to achieve” continues the report. “In all known malicious attachments, the final payload was a variant of the “Scout” tool from the HackingTeam Remote Control System (RCS) Galileo hacking platform.”
According to the group, the Callisto APT continues to be active, the experts observed the last malware in February 2016, meanwhile, they continue setting up new phishing infrastructure on weekly bases.
Let me suggest reading the report on the Callisto APT Group that is full of interesting info, including IoCs and mitigation strategies.
(Security Affairs – Callisto APT Group, Hacking Team)