A mysterious group appears to be relying on hacking tools that were originally stolen from Italian surveillance company Hacking Team — and leaked online two years ago — to spy on European government officials, think tanks and journalists, according to new research published Thursday by cybersecurity firm F-Secure.
Dubbed the “Callisto Group,” the hackers were first discovered by F-Secure after they sent a wave of phishing emails to a wide array of different targets that were all similarly involved in either discussing or reporting on government policies related to foreign affairs and national security. The BBC reported Thursday that one of those targets was the UK’s Foreign and Commonwealth Office.
Several F-Secure contacts received the suspicious phishing emails and sent samples to the Finnish company. The final payload for the malware-laden attachments contained, according to F-Secure, an outdated variant of the Hacking Team’s “Scout” tool, which is typically sold as part of the firm’s “Galileo” remote control system hacking platform.
Sean Sullivan, a security advisor at F-Secure, told CyberScoop that Callisto Group is likely reusing leaked Scout computer code because it was readily available online and could be easily combined with other tools to execute a rudimentary digital espionage operation.
Scout was designed as a preliminary tool to help users gain access to a target machine to then remotely download other packages of malicious computer code. The specific version of Scout that was leveraged by Callisto is “old, outdated and frankly inferior” to newer versions that have also been found in the wild, Sullivan described.
Although a cursory overview of the Callisto Group’s targets suggests that the group may be aligned with Russian interests, researchers say that the attackers used a completely different command and control infrastructure from that used by APT28 and APT29 — the two predominant cyber espionage groups linked to past Russian intelligence efforts.
“They way they were doing this … it seemed amateurish to us,” Sullivan said of Callisto’s phishing email scheme, “it wasn’t at the level of an intelligence service. They made mistakes.”
Registration information for the network infrastructure used by the Callisto Group in the aforementioned operation was easily linked back to a series of website domains that once sold controlled substances.
Sullivan said that the group’s ties to several illegal drug marketplaces may explain the group’s underlying interest was once financial rather than intelligence-driven.
“A lot of what our researchers found makes it seem like they’re aren’t focused on [espionage],” Sullivan said. “There’s a fuzzy line sometimes between criminal groups and intelligence agencies in some countries … maybe [Callisto Group] was hired to do a job by someone.”
F-Secure’s white paper on the Callisto Group was originally authored more than a year ago, Sullivan said. The research was previously labeled TLP: Amber, making access to the documents restricted to a select group of cybersecurity professionals. F-Secure only published its evidence of the phishing campaign after it was sure that it wouldn’t compromise their ability to track Callisto Group in the future. Other cybersecurity firms such as Kaspersky Lab have monitored and are aware of the group’s past activities.
As a company, Hacking Team claims that it only sells malware to governments, law enforcement and intelligence agencies.
CyberScoop previously reported that APT28 — within 24 hours of the 2015 Hacking Team leak — began using exploits developed by the Italian spyware maker. The move showcased the Russian group’s willingness to adopt open-source malware.
In February, Synack Director of Research Patrick Wardle found that an Apple-focused hacking tool associated with APT28, which was engineered to break Apple Mac OSX and iPhone iOS backup protocols, carried ripped off Hacking Team code.