Cybercrime
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Hackers Part of Callisto and Armageddon Groups
The European Union sanctioned four Russian domestic intelligence agency hackers including two military officers who participated in what researchers have described as “hack and leak” operations against Western governments.
See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing
The two officers are part of a Federal Security Service hacking group known as Callisto Group and Coldriver and formerly tracked by Microsoft as Seaborgium.
The U.K. government in December accused the group of running a decade-long spear-phishing campaign against lawmakers in multiple political parties and leaking classified trade documents published ahead of Britain’s 2019 election. The two officers, Ruslan Peretyatko and Andrey Korinets, already face sanctions from the British and U.S. governments and a criminal indictment in the United States (see: UK and US Accuse Russian FSB of ‘Hack and Leak’ Operation).
The Council of the European Union, a body that represents trading bloc governments, also announced sanctions against two members of the Armageddon hacking group. The council said the group, also known as Gameredon, “is supported” by the Federal Security Service, Russia’s successor to the Soviet Union’s KGB. Armageddon has been operational since 2013 or 2014 and consists of regular officers of the FSB and some former law enforcement officers of Ukraine, the Security Service of Ukraine reported in 2021. One of the two sanctioned Armageddon hackers is Mykola Chernykh. The council identifies him as a former official in the Security Service of Ukraine, and he is wanted by Kyiv for treason. The other is Oleksandr Sklianko.
Both threat actors are known for their phishing tactics, including the use of legitimate documents stolen from compromised government and military organizations. The threat actors take pains to make their emails appear legitimate, including by using spoofed email accounts that appear to originate from the work and personal email accounts of military officers and civil servants.
Also coming under new European sanctions are ransomware hackers Mikhail Tsarev, aka Mango, and Maksim Galochkin, aka Bentley – members of the malware gang behind the TrickBot ransomware dropper. The men already have been sanctioned by the U.S. and the United Kingdom and face criminal charges in the United States (see: US, UK Sanction 11 Russian Cybercriminals Tied to TrickBot).
The council said the two men belong to Wizard Spider, a financially motivated hacking group also known as Fin12 and Grimspider. British and American authorities have said that Wizard Spider cultivated ties to Russian intelligence and received tasking orders from the Kremlin.
Russia tolerates cybercriminals operating from inside it partially because criminal hackers can become “a pool of potential proxies that can be mobilized at a moment’s notice,” cybersecurity scholar Tim Maurer said in 2018.