Blue Callisto, a probable Russia-allied threat group associated with attacks to gather credentials from the United States of America and European government officials, have been running a phishing campaign on the stealth, PwC threat intelligence team found. They mostly conducted cyber espionage against pro-Ukraine nations, with a particular phishing activity spoofing US National Laboratories in July 2022.
Although there were some shifts in terms of the tools, techniques, and procedures (TTPs) used, the group has been mostly running its shop using legacy stuff, the team reported.
Blue Callisto a.k.a. SEABORGIUM a.k.a. Callisto Group
“Blue Callisto is likely a Russia-based threat actor which primarily conducts phishing attacks for espionage purposes since at least 2017. The threat actor is interested in acquiring credentials from US and European government officials and organisations linked to national security matters,” said the PwC report.
PwC lists SEABORGIUM and Callisto Group as the aliases of the group, suspected to be active since 2015, but various security intelligence services such as Microsoft and WithSecure (formerly F-Secure) use these names interchangeably.
Based on known indicators of compromise and actor tactics, SEABORGIUM overlaps with the threat groups tracked as Callisto Group (F-Secure), TA446 (Proofpoint) and COLDRIVER (Google). Security Service of Ukraine (SSU) has associated Callisto with Gamaredon Group (tracked by Microsoft as ACTINIUM); however, MSTIC has not observed technical intrusion links to support the association,” said a Microsoft Threat Intelligence Center (MSTIC) report published in August 2022.
Previous phishing campaigns
The known targets of Callisto Group include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus, according to an earlier report by F-Secure.
Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions,” it said
In 2017, the group exfiltrated details pertaining to the United Kingdom foreign office. Furthermore, it attacked US and UK universities in 2020 and 2022. Researchers found several phishing attempts this year that can be attributed to Blue Callisto largely because of the IP addresses that are suspected to be operated by the group. The attacks were conducted between February to October.
Several espionage attacks using phishing links have been associated with this group owing to the similarities found in attacks such as technology, network providers, and infrastructure setup. Microsoft also pointed out Blue Callisto’s fingerprinting browser behavior. Fingerprinting is a form of invasive tracking of browser details. Microsoft took action against the domain goo-link[.]online in August 2022 associated with the group.
In one of the phishing activities allegedly conducted by the Callisto group, the Google login page appeared with the email id reflecting as [email protected]. Researchers suspect that the email is used by the group only for testing purposes. And it gets statistically set to the value of tr333lopex.
It followed the following redirection chain:
- hxxps[:]//hypertextteches[.]com/patrified.php;
- hxxps[:]//accounts[.]hypertexttech[.]com/oOzMeNTe?FtC=DLOJmne17BQw5JRQ74YDgmHxR52d0Ng
- hxxps[:]//accounts[.]hypertexttech[.]com/signin/v2/identifier?passive=1209600&continue=https%3A%2F%2Faccounts[.]google[.]com%2F&followup=https%3A
%2F%2Faccounts[.]google[.]com%2F&flowName=GlifWebSignIn&flowEntry=ServiceLogin - hxxps[:]//accounts[.]hypertexttech[.]com/ServiceLogin?
continue=https%3A%2F%2Faccounts[.]google[.]com%2F&flowEntry=ServiceLogin&flowName=
GlifWebSignIn&followup=https%3A%2F%2Faccounts[.]google[.]com%2F&passive=1209600
The Callisto group has targeted military personnel, think tanks, and journalists in the past. The group has also been observed spoofing or making duplicate email IDs belonging to the US National Laboratories in July this year. The email field was seen to reflect as Brookhaven Lab email. It is suspected that the group used this mechanism to attain secrets about nuclear activities. Similarly, researchers also found phishing activities targeting Lawrence Livermore National Laboratory which is a United States federal research facility.
Indicators of compromise:
- cache-dns-forwarding[.]com – domain
- accounts[.]hypertexttech[.]com – domain
- hypertextteches[.]com – domain
- goo-link[.]online – domain
- goo-ink[.]online – domain
- hxxps[:]//hypertextteches[.]com/patrified.php – URL
- hxxps[:]//accounts[.]hypertexttech[.]com/oOzMeNTe?FtC=DLOJmne17BQw5JRQ74YDgmHxR52d0Ng – URL