Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Russian Espionage APT Callisto Focuses on Ukraine War Support Organizations

The Russia-linked cyberespionage group known as Callisto has been observed targeting multiple entities that provide war support for Ukraine, including private companies in the US and Europe.

The Russia-linked cyberespionage group known as Callisto has been observed targeting multiple entities that provide war support for Ukraine, including private companies in the US and Europe.

Active since at least 2017, the advanced persistent threat (APT) actor is also tracked as Blue Callisto, Coldriver, Seaborgium, and Callisto Group, and is known for launching operations that align with Russian state interests.

The group was observed targeting Ukraine in the run-up to Russia’s February 2022 invasion of the country, and has shown an increased interest in Ukraine after the war started, with observed activity stretching to October 2022.

According to professional services firm PwC, between February and October 2022, Callisto targeted at least one private Ukrainian company related to logistics, while continuing to focus on governmental organizations in Europe and the US.

However, cybersecurity firm Sekoia.io reports that the group has targeted at least ten entities involved in Ukraine support, including six private companies in the US and Eastern Europe and four non-governmental organizations (NGOs).

“Most of the targeted private organizations are involved in military equipment, military logistics or humanitarian support for Ukraine, including a US company that provides humanitarian logistics and possibly tactical equipment to Kiev,” Sekoia.io says.

Targeted entities include a military equipment company in Poland (UMO), logistics companies in the US (DTGruelle) and Ukraine (Emcompass), a military and tactical equipment provider in the US (Global Ordnance), a cybersecurity firm in Estonia (BotGuard), and a US satellite communications firm (Blue Sky Network).

Callisto is also believed to have targeted NGOs and think tanks involved in war crime investigation and conflict resolution, most of which are publicly supporting Ukraine: International Center on Nonviolent Conflict, Commission for International Justice and Accountability, Centre for Humanitarian Dialogue, and Foundation for Support of Reforms in Ukraine.

Advertisement. Scroll to continue reading.

“The observed victimology through the investigation matches known Calisto victimology, namely strategic research, civil society and military equipment sectors, as well as entities and individuals involved in Russian matters,” Sekoia.io notes.

The cybersecurity firm also observed Callisto malicious domains that are typosquatting the Russian Ministry of Interior and the Russian Federal Taxation Service, which suggests that the group might also be involved in domestic surveillance activities.

In August 2022, Microsoft announced the disruption of Callisto infrastructure, noting that the group was involved in the targeting of former intelligence officers, and Sekoia.io has found evidence supporting this theory, in the form of a domain typosquatting Sangrail Inc., a private security company.

Sekoia.io assesses that the observed activity likely contributes “to Russian efforts to disrupt Kiev supply-chain for military reinforcements”, and that “Callisto contributes to Russian intelligence collection about identified war crime-related evidence and/or international justice procedures.”

In a report this week, Recorded Future, which tracks the threat actor as TAG-53, mentions the same victimology as Sekoia.io, noting that all indicators suggest that Callisto is likely “continuing its phishing and credential-harvesting operations”, with a focus on verticals of interest to Russia in light of the war in Ukraine.

Related: Deadly Secret: Electronic Warfare Shapes Russia-Ukraine War

Related: Russia Gives Citizenship to Ex-NSA Contractor Edward Snowden

Related: Spanish Research Center Suffers Cyberattack Linked to Russia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...