A mysterious hacking collective known to target military personnel, government officials, think tanks and journalists was reportedly responsible for a series of cyber-espionage attacks against targets including the UK Foreign Office last year, it has been revealed.
F-Secure, a Helsinki-based cybersecurity firm, has linked highly-targeted reconnaissance activity to the "Callisto Group", a well-resourced team that has been active since at least 2015. It has a keen interest in European security policy, the firm clarified in a new threat report.
In early 2016, the group was observed sending spear-phishing emails containing malicious attachments. The targeted victims were likely compromised in a prior phase of the attack using fake warnings made to look like they were coming from Google, F-Secure said.
The emails were only sent to a "handful of targets". Some of the Gmail addresses were personal accounts that were not listed publicly, which suggests "thorough reconnaissance by the attackers" while targets included European military personnel and think tanks.
Interestingly, the malicious software used in the 2016 attack, which allegedly ran for several months, contained a variant of a government-grade surveillance tool adapted from a platform initially developed by Hacking Team, an Italian spyware firm.
Two years ago, Hacking Team was breached and as a result had a slew of its computer tampering products leaked onto the web. It appears the Callisto Group hackers were paying attention, however F-Secure could not confirm if the victims were successfully compromised.
It is understood the UK government has already investigated the previously unreported hack from last year. Nevertheless, the National Cyber Security Centre (NCSC), a fork of GCHQ, declined to comment on both the motive behind the attack and if data was leaked.
"The first duty of government is to safeguard the nation and as the technical authority on cyber security, the NCSC is delivering ground breaking innovations to make the UK the toughest online target in the world," it said in a short statement.
One source told the BBC that sensitive Foreign and Commonwealth Office (FCO) data is not kept on computer networks targeted by the hacking group. On the subject of motive, F-Secure said it was unaware of any attacks that would suggest the collective was after money.
It did, however, find links between the group's infrastructure and online marketplaces selling drugs and pharmaceuticals. Additionally, some hacking infrastructure contained "links to... Russia, Ukraine, and China". True attribution, at this point, is undetermined.
"While the targeting would suggest that the main benefactor of the Callisto Group's activity is a nation-state with specific interest in the Eastern Europe and South Caucasus regions, the link [to] the sale of controlled substances hints at [...] a criminal element," the report said.
Some of the hacking techniques used – highly-targeted email phishing – were previously deployed by APT28, a Russian cyberespionage team that infiltrated the Democratic National Committee (DNC). There is nothing to link the pair at the time of writing.
F-Secure said the hackers remain active. "Should the Callisto Group be alerted to the fact that they have been noticed, we do not know how they will react. They may stop everything or they may continue as if nothing has happened," the firm concluded.
Erka Koivunen, F-Secure chief technology officer, said: "This should remind governments that we don't have monopolies on these technologies, and that mercenaries, hostile nation-states, and other threats won't hesitate to use these surveillance powers against us."