US charges two Russians in hacks of government accounts

Two Russian nationals were indicted on Thursday for their alleged role in targeting U.S. government and military officials as part of a hacking campaign also aimed at the United Kingdom, Ukraine and NATO.

Federal Security Service (FSB) Center 18 officer Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets were named in court documents alongside several other unindicted conspirators for launching a “sophisticated spear phishing campaign to gain unauthorized, persistent access into victims’ computers and email accounts.”

“The Russian government continues to target the critical networks of the United States and our partners, as highlighted by the indictment unsealed today,” said Assistant Attorney General Matthew Olsen of the Justice Department’s National Security Division.

The U.S. action came on the heels of a related announcement by U.K. officials, which said the FSB mounted a “sustained but unsuccessful” campaign to undermine democratic institutions there.

Both Peretyatko and Korinets were also sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC). The State Department posted a reward of up to $10 million for information that would identify their location as well as the location of their conspirators.

Top cybersecurity agencies in the U.S., U.K., Australia, New Zealand and Canada released an advisory identifying the group’s tactics, including the abuse of webmail addresses from Outlook, Gmail, Yahoo and Proton to target defense agencies, academia, governmental organizations, NGOs, think tanks and politicians.

In court filings unsealed on Thursday, the Justice Department accused Peretyatko, Korinets and others of targeting current and former employees of U.S. intelligence agencies, the Department of Defense, Department of State, defense contractors and Department of Energy facilities between at least October 2016 and October 2022.

The potential victims included a wide variety of military and government officials, researchers and staff, as well as journalists in the United Kingdom, the documents said.

The hacking unit has been labeled Callisto Group by cybersecurity researchers, as well as Star Blizzard (previously SEABORGIUM) by Microsoft and COLDRIVER by Google.

The charges come months after members of Congress raised concerns about the group trying to breach three national laboratories run by the Department of Energy. The hacking campaign reportedly used fake login pages to attempt to collect credentials from nuclear scientists. All three facilities perform high-level research associated with the nation's nuclear weapons programs.

The DOJ said on Thursday that the hackers used spoofed email addresses to make messages look like they were coming from official accounts. The emails contained messages that took victims to a landing page where they were asked to provide account credentials through fake login prompts.

The hackers then used the login details to breach email accounts and more.

Crime links?

A senior DOJ official told reporters that U.S. agencies were alarmed when the investigation also revealed that officials at the FSB are working with known cybercriminals on espionage operations.

“FSB Center 18 is supposed to be the FBI’s counterpart in fighting cybercrime. But yet, in this case, we have Center 18 engaging in offensive, malicious cyber activities targeting the United States and our allies and also engaging a Russian cybercriminal to aid in those efforts,” the official said.

“So you have a law enforcement agency using offensive cyber operations leveraging a cybercriminal to aid in those targeting efforts.”

The official compared it to a 2017 situation where a Center 18 official worked with a cybercriminal to breach Yahoo.

A senior DOJ official said many countries, including the U.S., launch offensive “intelligence gathering” operations but explained that this was different because Russian officials attempted to weaponize what was stolen “to destabilize democratic processes” and were coordinating with cybercriminals on the operation.

“I think there's a worry that they're learning of these individuals based upon criminal activity they're conducting from Russia that they're alerted to either by their own investigations or foreign law enforcement notifying them of that activity. Instead of arresting them, they in turn co-opt them for their own purposes,” the DOJ official said.

The Justice Department official confirmed that in this situation, the hackers were in search of documents on foreign affairs policy, nuclear energy technology and more. The hackers were successful in compromising at least one Department of Energy employee's account, they added.

Likely still in Russia

Peretyatko and Korinets are likely still in Russia, according to U.S. officials. They were each charged with computer fraud and conspiracy to commit wire fraud. If convicted they face up to five years in prison for the computer fraud charge and a maximum penalty of 20 years in prison for the wire fraud charge.

U.S. officials said that while it would be impossible to get the men directly from Russia, they launched the case in the hopes that any movement outside of Russia will lead to their extradition — a tactic that has had some amount of success in recent years.

“The FBI will not stand idly by as Russia continues to perpetuate this type of targeted malicious activity,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “Russian interference through malign foreign influence campaigns is deplorable, and we will not tolerate it in the United States or directed against our foreign partners.”

U.S. Attorney Ismail Ramsey added that the indictment was meant to “send a message” that the U.S. wants to “identify and disrupt cyber espionage actors, particularly those seeking to obtain government information and attempting to create chaos in democratic processes.”

In at least one instance, the hackers gave the information they stole to press in Russia and the U.K. ahead of the U.K. elections in 2019.

“Through this malign influence activity directed at the democratic processes of the United Kingdom, Russia again demonstrates its commitment to using weaponized campaigns of cyber espionage against such networks in unacceptable ways,” Olsen said."

U.K. Minister Leo Docherty said the Russian ambassador had been summoned so that the government could raise the issue and stress that the political interference is unacceptable. Liam Fox, U.K. trade minister in 2019, was allegedly targeted by the campaign.

A campaign attributed to the Russian unit in December used a spoofed Microsoft login page to attempt to harvest employee logins for a U.S. military weapons and hardware supplier. Other targets have included the military of a Balkans country and a Ukrainian defense contractor, according to Google researchers.

Microsoft report

Last year, Microsoft said it disrupted a campaign by the group. On Thursday, the company published its own research about alongside the indictments, warning that the group “continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests.”

According to Microsoft researchers, the hackers frequently use two different services, HubSpot and MailerLite, to launch email campaigns. The platforms provide them with dedicated subdomains that allow them to create URLs.

In July 2022, researchers at Google said they observed the group using Gmail accounts to send phishing messages to government and defense officials, politicians, non-governmental organizations (NGOs), think tanks, and journalists. In May, Reuters reported that the group was behind a hack-and-leak operation that tried to build a narrative around high-level Brexit proponents planning a coup.

Officers at the FSB’s Center 18 were previously charged in the U.S. with recruiting criminal hackers to target email services run by both Yahoo and Google.