Callisto Group Repurposed Dumped Hacking Team Spying ToolHackers Didn't Try to Reinvent the Wheel, Security Firm F-Secure Says
Cyberattackers love not having to reinvent the wheel.
The latest example of that ethos comes via an outfit that Finnish information security firm F-Secure has labeled the Callisto group, which it says has been using the "Scout" spyware tool developed by the controversial firm Hacking Team.
"The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists" in both Europe as well as the border of Eastern Europe and Western Asia known as the South Caucasus, F-Secure says in a related malware analysis. The Callisto Group's chief aim appears to be intelligence-gathering, especially relating to security and foreign policies, and there appears to be no financial impetus, it adds.
Scout - part of Hacking Team's RCS Galileo platform - is a lightweight backdoor designed for this type of reconnaissance, and includes the ability to capture screenshots as well as install additional malware on an infected PC. Hacking Team, based in Milan, Italy, sells its Galileo software to police and government intelligence agencies.
But versions of the malware can be found for free online, thanks to Hacking Team having been hacked in July 2015 and 400 GB of corporate data - including Scout source code - dumped online by an individual or group called "PhineasFisher."
Subsequently, Callisto began putting the dumped code to work. "We named this group 'Callisto,' as they used Hacking Team's RCS Galileo malware, and Galileo Galilei found the Callisto moon of Jupiter," says Mikko Hypponen, F-Secure's chief research officer, via Twitter.
Two Attack Phases Spotted
F-Secure says it's seen at least two Callisto Group attack phases to date:
- October 2015: Callisto began sending a "handful" of highly targeted attacks to "European military personnel," F-Secure says, designed to harvest victims' Google credentials.
- Early 2016: The group began sending malicious attachments to targets, sometimes from email accounts that were known to victims - some of which had been compromised in the first phase of attacks.
Despite F-Secure not seeing any related malware attacks since then, it warns that the group is still active and continues to create new phishing infrastructure on a weekly basis.
It's not clear who's behind Callisto Group. While there are some obvious potential culprits - including a cybercrime or nation-state group tied to Russia, Ukraine or China - "we do not believe it is possible to make any definitive assertions regarding the nature or affiliation of the Callisto Group based on the currently available information," F-Secure says.
F-Secure has also published indicators of compromise for the malware used by the group to date, as well as details of the related phishing infrastructure, including more than 45 domains that appear to have been used in phishing attacks. "These may be used as targets of links or as domains for sender email addresses," F-Secure says.
As these examples demonstrate, the domains might appear to be real at first glance:
The Galileo Wrinkle
Unfortunately for people targeted with the Galileo spyware, the spear-phishing component of Callisto's attacks appears to be extremely well designed. "The spear-phishing emails used in the known attacks by the Callisto Group were so convincing that even skilled and alert users would likely have attempted to open the malicious attachment," F-Secure says.
Thankfully, however, users would still have to click on a specific icon in Microsoft Word before the attack could continue, and recent versions of Word would also alert users that doing so was dangerous. Of course, not everyone is using a more recent version of Word or heeds such alerts.
Even so, many anti-virus products can spot the RCS Galileo malware payload and block it outright. "Using an up-to-date antivirus solution with all protection features enabled is the most effective mitigation against highly targeted attacks such as these," F-Secure says.
For anyone who suspects they may have been infected, however, its advice is to disconnect the PC from the internet, but not power it down, since doing so might complicate subsequent digital forensic analysis.
Callisto isn't unique in its quest to reuse attack code that's been developed by others. Indeed, reusing code found in the wild is a long-standing technique practiced by many developers, including nation-state attackers.
The Vault 7 dump released by WikiLeaks beginning in March, which details part of the CIA's former, alleged "hacking arsenal," for example, reveals that the agency also uses this approach. In particular, its UMBRAGE team maintains a repository of code snippets sourced from malware and open source code, offering everything from inspiration to cut-and-paste functionality.
"The goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions," according to a leaked document. "Rather than building feature-rich tools, which are often costly and can have significant CI [counterintelligence] value, this effort focuses on developing smaller and more targeted solutions built to operational specifications."
Example range from remote access tools to disk-wiping capabilities. And such an approach saves time, money and may also help attackers create more generic-looking code, thus making attacks tougher to attribute.
Top Threat: Phishing
Regardless of whether attackers reuse code, the Callisto campaigns serve as a reminder that phishing remains a favored technique for attackers. That can include campaigns designed to infect large numbers of systems, as was seen recently after the zero-day flaw in Microsoft Word came to light.
But phishing also remains a frequently used technique for highly targeted attacks. Thankfully, as the operational security expert known as the Grugq has noted, enabling two-factor authentication and password managers - to maintain a supply of complex and unique passwords - is often an effective defense, especially against non-targeted attacks.
You are going to be phished long before you are going to be hit with CIA 0days. Enable 2FA and get a password manager.— the grugq (@thegrugq) March 8, 2017
But there are some caveats. For starters, he recommends not using cloud-based password managers, since they take the data out of users' control.
For two-factor authentication, meanwhile, penetration testing expert Thomas Ptacek advises against using SMS-based tokens whenever possible, since these can be intercepted by malware.