The Russia-linked cyberespionage group known as Callisto (aka AG-53, COLDRIVER, SEABORGIUM) has been observed targeting multiple entities that provide war support for Ukraine, including private companies in the US and Europe.
Active since at least 2017, the advanced persistent threat (APT) actor is also tracked as Blue Callisto, Coldriver, Seaborgium, and Callisto Group, and is known for launching operations that align with Russian state interests.
The group was observed targeting Ukraine in the run-up to Russia’s February 2022 invasion of the country, and has shown an increased interest in Ukraine after the war started, with observed activity stretching to October 2022.
According to professional services firm PwC, between February and October 2022, Callisto targeted at least one private Ukrainian company related to logistics, while continuing to focus on governmental organizations in Europe and the US.
However, cybersecurity firm Sekoia.io reports that the group has targeted at least ten entities involved in Ukraine support, including six private companies in the US and Eastern Europe and four non-governmental organizations (NGOs).
“Most of the targeted private organizations are involved in military equipment, military logistics or humanitarian support for Ukraine, including a US company that provides humanitarian logistics and possibly tactical equipment to Kiev,” Sekoia.io says.
Targeted entities include a military equipment company in Poland (UMO), logistics companies in the US (DTGruelle) and Ukraine (Emcompass), a military and tactical equipment provider in the US (Global Ordnance), a cybersecurity firm in Estonia (BotGuard), and a US satellite communications firm (Blue Sky Network).
Callisto is also believed to have targeted NGOs and think tanks involved in war crime investigation and conflict resolution, most of which are publicly supporting Ukraine: International Center on Nonviolent Conﬂict, Commission for International Justice and Accountability, Centre for Humanitarian Dialogue, and Foundation for Support of Reforms in Ukraine.
The cybersecurity firm also observed Callisto malicious domains that are typosquatting the Russian Ministry of Interior and the Russian Federal Taxation Service, which suggests that the group might also be involved in domestic surveillance activities.
In August 2022, Microsoft announced the disruption of Callisto infrastructure, noting that the group was involved in the targeting of former intelligence oﬃcers, and Sekoia.io has found evidence supporting this theory, in the form of a domain typosquatting Sangrail Inc., a private security company.
Sekoia.io assesses that the observed activity likely contributes “to Russian efforts to disrupt Kiev supply-chain for military reinforcements”, and that “Callisto contributes to Russian intelligence collection about identiﬁed war crime-related evidence and/or international justice procedures.”
In a report this week, Recorded Future, which tracks the threat actor as TAG-53, mentions the same victimology as Sekoia.io, noting that all indicators suggest that Callisto is likely “continuing its phishing and credential-harvesting operations”, with a focus on verticals of interest to Russia in light of the war in Ukraine.