Russian cyber-spies identified in APT attacks against UK democracy

In context: Born as the successor agency to the Soviet Union's KGB, the Federal Security Service of the Russian Federation (FSB) is the Kremlin's primary agency for counter-intelligence and security. The FSB is also a highly active cyber-warfare actor, with various units focused on numerous external targets, including many Western democracies.

UK and US authorities are exposing the troublesome activities of an advanced persistent threat (APT) group sponsored by the FSB, a team tracked by security companies as Star Blizzard, Callisto Group, or Seaborgium. The group has actively sought to interfere with the political process in the UK and other nations for years, utilizing complex attack and evasion techniques that Microsoft Security also details extensively.

Centre 18, the FSB division likely related to the Callisto ATP group, is being held accountable for a series of cyber-espionage operations against high-profile individuals. According to the UK's National Cyber Security Centre (NCSC), Centre 18 collaborated with Callisto / Star Blizzard for years to target webmail accounts used by government, military, and media organizations. The group's spear-phishing campaigns were active as early as 2019 and have continued through 2023.

Star Blizzard's typical cyber-espionage activity exploits open-source resources to conduct reconnaissance on professional social media platforms, the NCSC explained. FSB agents extensively research their targets, identifying real-world social or professional contacts. Email accounts impersonating those contacts are then created with fake social media or networking profiles, ultimately used to send a malicious PDF document hosted on legitimate cloud platforms.

The PDF is designed to redirect the target to a phishing site, where the open-source EvilGinx attack framework is employed to steal both user credentials and session authentication cookies. This allows Russian spies to bypass advanced security protections, such as two-factor authentication, log into the target's email account, pilfer data and documents, and establish forward rules for ongoing access to the target's future communications.

The group can then exploit their illicit access to the compromised email accounts to discover and identify other interesting targets. According to Microsoft's latest investigation, the group is now utilizing increasingly sophisticated techniques to evade identification, including server-side scripts to prevent automated scanning of actor-controlled infrastructure, use of email marketing platform services to conceal true email senders, IP-masking DNS providers, and more.

Star Blizzard and the other FSB cyber-espionage units have been involved in several high-profile incidents throughout the years, UK authorities noted. Russian agents have attempted to hack political representatives with spear-phishing attacks since 2015, have breached election documents, and have targeted universities, journalists, public sectors, and non-government organizations (NGOs) playing a key role in UK democracy.

UK and US authorities have now disclosed the identities of two individuals associated with the aforementioned spear-phishing activities: FSB officer Ruslan Aleksandrovich Peretyatko and "IT worker" Andrey Stanislavovich Korinets.

The two spies are likely responsible for Callisto's APT operations against UK organizations, with "unsuccessful attempts" resulting in some documents being leaked. Peretyatko and Korinets have been sanctioned by the UK and US, and the US Department of State's Rewards for Justice (RFJ) program is currently offering a reward of up to $10 million for additional information useful in locating Peretyatko, Korinets, or other members of the Callisto group.