The Federal Security Service of the Russian Federation (FSB), created as the successor to the KGB of the Soviet Union, is the Kremlin’s main counterintelligence and security agency. The FSB is also very active in cyberwarfare, with various units focused on numerous external targets, including many Western democracies.
UK and US authorities have exposed the dangerous activities of the FSB-sponsored Perpetual Threat Group (APT), which is monitored by security companies such as Star Blizzard, Callisto Group or Seaborgium. Over the years, this group has actively tried to interfere in the political process in the UK and other countries, using sophisticated attack and evasion techniques, which are also detailed in Microsoft Security.
Centre 18, an FSB unit believed to be linked to the Callisto ATP group, is responsible for a series of cyber espionage operations against high-ranking individuals. According to the UK’s National Cyber Security Center (NCSC), Center 18 has worked with Callisto/Starstorm for years to attack mailboxes of government, military and media organizations. Spear phishing campaigns started back in 2019 and continued until 2023.
As the NCSC explained, Star Blizzard’s typical cyber espionage activity uses open-source resources to conduct intelligence on professional social media platforms. FSB agents carefully study their targets, identifying real social or professional contacts. Email accounts impersonating these contacts are then created with fake social media profiles, which are ultimately used to send a malicious PDF document hosted on legitimate cloud platforms.
The PDF file is designed to redirect the victim to a phishing site that uses the open-source EvilGinx attack framework to steal user credentials and session authentication cookies. This allows Russian spies to bypass advanced security measures such as two-factor authentication, enter a victim’s mailbox, steal data and documents, and set forwarding rules to permanently access the victim’s future messages.
The group can then use its illicit access to compromised email inboxes to discover and identify other targets of interest. According to Microsoft’s latest investigation, the group uses increasingly sophisticated methods to avoid identification, including server-side scripts to prevent automated scanning of actor-controlled infrastructure, using email marketing platform services to hide real senders, masking IP addresses of DNS providers, and more.
British authorities have said Star Blizzard and other FSB cyber espionage units have been involved in several high-profile incidents over the years. Since 2015, Russian agents have attempted to hack political representatives through phishing attacks, tampered with election records, and targeted universities, journalists, the public sector and non-governmental organizations (NGOs) that play a key role in British democracy.
The authorities of Great Britain and the United States revealed the identities of two persons involved in the aforementioned phishing attacks: FSB officer Ruslan Oleksandrovych Peretyatka and “Aitishnik” Andrii Stanislavovich Korinets.
These two spies are believed to be responsible for Callisto’s APT operations against British organizations whose “failed attempts” led to the leak of some documents. Great Uncle and Root have been sanctioned by the UK and the US, and the US State Department’s Rewards for Justice (RFJ) program is currently offering a reward of up to $10 million for additional information leading to the location of Great Uncle, Root or other members of the Callisto group.
Read also:
- Huawei promises to release breakthrough products in 2024
- MediaTek WiFi 7 chips will start rolling out next year to drive innovation