The Calisto Group, a cyber-crime gang known to target military personnel, think tanks and journalists in Europe and the South Caucasus, targeted the UK government last year in a series of attacks.
The UK’s Foreign Commonwealth Office was targeted over several months in 2016 beginning in April, according to the BBC. But the UK’s National Cyber Security Centre has not confirmed whether data was stolen or not.
The BBC understands that the most sensitive Foreign Office data is not stored on the systems targeted by the hackers.
The group’s primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions, according to security firm F-Secure.
According to research from the security company, the Calisto Group has been working in phases since late 2015 in order to retrieve valuable information.
In October 2015, F-Secure said that it had observed the group sending targeted credential phishing e-mails. These e-mails looked as if they came from Google, and alerted the target that their Gmail account was about to be removed. They requested the user to click a link to a phishing website that attempts to harvest the target’s Gmail credentials.
“Based on our information, these emails were highly targeted and were only sent to a handful of targets. At least some of the recipient Gmail addresses were personal accounts of the target and not readily available to the public, suggesting thorough reconnaissance by the attackers,” the researchers said.
“Known targets include European military personnel. We also have reason to believe this or related phishing incidents targeted key personnel in European think tanks,” they added.
Security software company F-Secure believes that these email accounts that were compromised were used for the second phase of attacks in early 2016. These were spear-phishing emails containing malicious attachments; the emails had been sent from email accounts of individuals likely to be familiar to the recipient.
Targets included military personnel, government officials, think tanks and journalists, but F-Secure said it wasn’t aware of any evidence suggesting any of these individuals were compromised – just that they were targeted.
The malicious attachments used a feature of Microsoft Word that allows ‘objects’ to be embdedded in .docx files – in the case of these files, the embedded objects is the malware executable.
For it to be executed, a user would need to click an icon in the docx file, at which point Word will prompt the user with a warning. The payload will only be executed if the user acknowledges the prompt. The malware itself was first developed for law enforcement by the Italian software company HackingTeam. The company had been breached in 2015, and F-Secure believe that Callisto Group made us of the ready-made installers of the Remote Control System (RCS) platform that were then made available for anyone to use.
Callisto Group used the ‘Scout’ malware tool from the RCS platform, which enables it to get basic system information and screenshots from a compromised PC as well as enable the installation of additional malware.
“In effect, this would have provided the Callisto Group with full remote access to the target’s computer, and by extension, to any data accessible to the target via their computer,” said F-Secure.