Leaked HackingTeam spyware was used by a cyber-spy group to collect intelligence.
The Callisto Group cyber-spies collected intel on foreign and security policy in eastern Europe and the south Caucasus using spyware developed for law enforcement agencies, according to F-Secure Labs. The group – which remains active – has targeted military personnel, government officials, journalists and think tanks since at least 2015.
An investigation [PDF] published by F-Secure on Thursday reports that the Callisto Group's infrastructure has links with entities in Russia, Ukraine and China. F-Secure is not saying who is behind the Callisto Group other than to suggest the sponsor is probably a nation state.
"They act like nation-state attackers, but there's also evidence linking them with infrastructure used by criminals," said F-Secure's security advisor Sean Sullivan. "So they could be an independent group that's been contracted by a government to do this work, or possibly doing it on their own with the intent of selling the information to a government or intelligence agency."
The Callisto Group's tradecraft typically relies on highly targeted phishing attacks and malware. The malware used by the group is a variant of the Scout tool developed by Italian surveillance firm HackingTeam.
The Scout tool was part of a spyware toolset HackingTeam sold to government agencies that was stolen and leaked online two years ago.
F-Secure's chief information security officer Erka Koivunen said the snoopers' use of spyware designed for law enforcement illustrates the dangers of surveillance technologies.
"This should remind governments that we don't have monopolies on these technologies, and that mercenaries, hostile nation states, and other threats won't hesitate to use these surveillance powers against us," Koivunen said.
F-Secure's report provides indicators of compromise and mitigation strategies for any potential targets concerned about the Callisto Group or other threat actors (i.e. cyber-spies) that take to using similar tactics. ®