Security Experts:

Connect with us

Hi, what are you looking for?



Russian Espionage APT Callisto Focuses on Ukraine War Support Organizations

The Russia-linked cyberespionage group known as Callisto has been observed targeting multiple entities that provide war support for Ukraine, including private companies in the US and Europe.

The Russia-linked cyberespionage group known as Callisto has been observed targeting multiple entities that provide war support for Ukraine, including private companies in the US and Europe.

Active since at least 2017, the advanced persistent threat (APT) actor is also tracked as Blue Callisto, Coldriver, Seaborgium, and Callisto Group, and is known for launching operations that align with Russian state interests.

The group was observed targeting Ukraine in the run-up to Russia’s February 2022 invasion of the country, and has shown an increased interest in Ukraine after the war started, with observed activity stretching to October 2022.

According to professional services firm PwC, between February and October 2022, Callisto targeted at least one private Ukrainian company related to logistics, while continuing to focus on governmental organizations in Europe and the US.

However, cybersecurity firm reports that the group has targeted at least ten entities involved in Ukraine support, including six private companies in the US and Eastern Europe and four non-governmental organizations (NGOs).

“Most of the targeted private organizations are involved in military equipment, military logistics or humanitarian support for Ukraine, including a US company that provides humanitarian logistics and possibly tactical equipment to Kiev,” says.

Targeted entities include a military equipment company in Poland (UMO), logistics companies in the US (DTGruelle) and Ukraine (Emcompass), a military and tactical equipment provider in the US (Global Ordnance), a cybersecurity firm in Estonia (BotGuard), and a US satellite communications firm (Blue Sky Network).

Callisto is also believed to have targeted NGOs and think tanks involved in war crime investigation and conflict resolution, most of which are publicly supporting Ukraine: International Center on Nonviolent Conflict, Commission for International Justice and Accountability, Centre for Humanitarian Dialogue, and Foundation for Support of Reforms in Ukraine.

“The observed victimology through the investigation matches known Calisto victimology, namely strategic research, civil society and military equipment sectors, as well as entities and individuals involved in Russian matters,” notes.

The cybersecurity firm also observed Callisto malicious domains that are typosquatting the Russian Ministry of Interior and the Russian Federal Taxation Service, which suggests that the group might also be involved in domestic surveillance activities.

In August 2022, Microsoft announced the disruption of Callisto infrastructure, noting that the group was involved in the targeting of former intelligence officers, and has found evidence supporting this theory, in the form of a domain typosquatting Sangrail Inc., a private security company. assesses that the observed activity likely contributes “to Russian efforts to disrupt Kiev supply-chain for military reinforcements”, and that “Callisto contributes to Russian intelligence collection about identified war crime-related evidence and/or international justice procedures.”

In a report this week, Recorded Future, which tracks the threat actor as TAG-53, mentions the same victimology as, noting that all indicators suggest that Callisto is likely “continuing its phishing and credential-harvesting operations”, with a focus on verticals of interest to Russia in light of the war in Ukraine.

Related: Deadly Secret: Electronic Warfare Shapes Russia-Ukraine War

Related: Russia Gives Citizenship to Ex-NSA Contractor Edward Snowden

Related: Spanish Research Center Suffers Cyberattack Linked to Russia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...