September 29, 2017 |

Leaked HackingTeam spyware used by attack group to collect intelligence

F-Secure Labs uncovers cyber attack group collecting intelligence on foreign and security policy in Europe using spyware developed for law enforcement agencies. Buckinghamshire, UK – 13th April 2017: A new report published by F-Secure Labs claims that a previously unknown cyber attack group has been conducting intelligence gathering on foreign and security policy in eastern […]

F-Secure Labs uncovers cyber attack group collecting intelligence on foreign and security policy in Europe using spyware developed for law enforcement agencies.

Buckinghamshire, UK – 13th April 2017: A new report published by F-Secure Labs claims that a previously unknown cyber attack group has been conducting intelligence gathering on foreign and security policy in eastern Europe and the south Caucasus. The report describes the Callisto Group as a highly motivated and well-resourced threat that’s been conducting cyber attacks on military personnel, government officials, journalists and think tanks since at least 2015.


According to the report, the Callisto Group is responsible for several attacks in 2015 and 2016. And while the report does not identify specific victims, it does say the common theme amongst the group’s targets is a connection with foreign and security policy involving eastern Europe and the south Caucasus, suggesting intelligence gathering as the group’s motive.


The report notes that the group’s infrastructure has links with entities in Russia, Ukraine and China, but does not offer definitive conclusions about who is behind the group. The report also highlights that while there is evidence suggesting the group has ties with a nation-state, the specifics of that relationship are unclear.


“They act like nation-state attackers, but there’s also evidence linking them with infrastructure used by criminals,” said F-Secure’s security advisor Sean Sullivan. “So they could be an independent group that’s been contracted by a government to do this work, or possibly doing it on their own with the intent of selling the information to a government or intelligence agency. But there are several explanations in addition to these, and we can’t say one way or the other based on the current evidence.”


In addition to discussing the Callisto Group’s targets and motives, the report details the attack pattern the group uses to compromise their targets. According to the report, the Callisto Group use highly targeted phishing attacks to steal credentials for email accounts, as well as highly personalised, convincing spear phishing emails intended to infect their targets with malware. These spear phishing emails were often sent from email accounts compromised by the group’s previous phishing attacks.


The malware delivered by these spear phishing emails was designed to steal information from their targets, as well as infect them with additional malware. The report notes that this malware is a variant of the Scout tool developed by Italian surveillance firm HackingTeam. The Scout tool was part of a spyware toolset HackingTeam sold to government agencies that was stolen and leaked online in 2015*.


According to F-Secure’s chief information security officer Erka Koivunen, the Callisto Group’s use of spyware designed for law enforcement is a stark reminder of the dangers of surveillance technologies.


“The adoption of government-grade spyware by attackers shouldn’t surprise anyone. Surveillance tools are by their very nature designed to invade people’s privacy. In well-functioning democracies these invasions are mandated by laws, and citizens rely on authorities to use them responsibly with proper checks and balances in place,” said Koivunen. “But data breaches and subsequent leaks of professional-grade surveillance tools give these invasive capabilities to a range of different threats. This should remind governments that we don’t have monopolies on these technologies, and that mercenaries, hostile nation-states, and other threats won’t hesitate to use these surveillance powers against us.”


The report highlights that the group remains active, and that how they’ll respond to being discovered is unknown. It also provides indicators of compromise and mitigation strategies for any potential targets concerned about the Callisto Group or other threats using similar attacks. F-Secure products currently feature behavioural, generic and other detections to protect users from Callisto Group activity.






More Information:

Callisto Group

News from the Labs – The Callisto Group


About F-Secure

Nobody knows cyber security like F-Secure. For three decades, F-Secure has driven innovations in cyber security, defending tens of thousands of companies and millions of people. With unsurpassed experience in endpoint protection as well as detection and response, F-Secure shields enterprises and consumers against everything from advanced cyber attacks and data breaches to widespread ransomware infections. F-Secure’s sophisticated technology combines the power of machine learning with the human expertise of its world-renowned security labs for a singular approach called Live Security. F-Secure’s security experts have participated in more European cyber crime scene investigations than any other company in the market, and its products are sold all over the world by over 200 broadband and mobile operators and thousands of resellers.


Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd. |


F-Secure media relations 

Geoff Dorrington

PR manager, F-Secure UK & Ireland


T: 01753 376592





Latest Events
Press Archives
Select Year

Latest Press Releases

March 15, 2018

F-Secure’s Aviation Cyber Security Services Takes Off

F-Secure’s new service combines expertise in aviation and cyber security to help aviation companies protect their most critical assets. Buckinghamshire, UK – March 15, 2018: Trust is everything in the aviation industry. And a successful cyber attack – even a minor one against something like an in-flight entertainment system – could undermine confidence in airlines […]

February 28, 2018

F-Secure Introduces Unique Partner-Driven Service to Stop Targeted Cyber Attacks Globally

Channel partners have immense new service opportunities to protect their customers from rising numbers of targeted and fileless attacks with a leading-edge managed endpoint detection and response service. Buckinghamshire, UK – February 28, 2018: Businesses globally are being compromised by an onslaught of targeted and fileless cyber attacks, and industry-leading cyber security vendor F-Secure is […]

February 22, 2018

Incident Detection, Email Attacks Continue to Cause Headaches for Companies

F-Secure’s new Incident Response Report points to email inboxes as the weakest link in security perimeters, and finds that companies struggle with quickly and accurately detecting security incidents. Buckinghamshire, UK – February 22, 2018: Over one-third of all security incidents start with phishing emails or malicious attachments sent to company employees, according to a new […]

February 14, 2018

F-Secure appoints Beta Distribution as a UK distributor of security solutions for corporate resellers

Buckinghamshire, UK – 14th February 2018: Global cyber security company F-Secure today announces the appointment of Beta Distribution as a UK distributor for corporate resellers. Beta Distribution, Headquartered in London and with offices throughout the UK, is a specialist product, services and solutions IT distributor which serves over 3,000 resellers across the UK, including over […]

%d bloggers like this: