Russian agents with FSB’s notorious ‘Center 18’ cyber unit are charged in hacking plot targeting US officials and allies with ‘sophisticated’ email phishing campaign to steal credentials

U.S. officials have accused Russian agents of waging a sophisticated, long-running cyber espionage campaign targeting intelligence and military officials in the U.S., Britain and other NATO allies.

The hacking campaign was overseen by a clandestine group known as 'Callisto Group', based within the Center 18 cyber unit of Russia's Federal Security Service (FSB), according to an indictment unsealed on Thursday.

FSB official Ruslan Aleksandrovich Peretyatko and IT expert and bodybuilder Andrey Stanislavovich Korinets, 36, have been charged with overseeing the global hacking campaign, which also targeted British politicians and journalists.

Victims in the U.S. included a retired Air Force general, former intelligence officials and current and former employees of the State Department and the Department of Energy, the indictment said.

“The Russian government continues to target the critical networks of the United States and our partners, as evidenced by the indictment unsealed today,” said Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division.

On Thursday, the British Foreign Office revealed parallel allegations that Callisto Group had made a sustained but failed attempt to interfere in British politics by targeting the private conversations of elected officials, civil servants and public figures there.

British Foreign Secretary David Cameron said: “Russia's attempts to interfere in British politics are completely unacceptable and seek to threaten our democratic processes.”

Callisto Group is accused of hacking into top British politicians, including the personal email account of former Trade Secretary Liam Fox, to steal classified documents relating to US-UK trade negotiations.

The group was also thought to be behind the leak of private emails of former British spymaster Richard Dearlove in 2022.

“Through this malicious influence activity targeting Britain's democratic processes, Russia is once again demonstrating its commitment to unacceptable use of armed cyberespionage campaigns against such networks,” Olsen, the U.S. attorney, said.

The Russian Foreign Ministry said in a statement that the hacking allegations were “fabricated” and were “purely opportunistic and politically motivated in nature.”

The responsible unit within Center 18 is known to American researchers as Callisto Group and is also called 'Dancing Salome' by Kaspersky Labs, 'STAR BLIZZARD' by Microsoft and 'COLDRIVER' by Google.

According to US prosecutors, the Russian cyber espionage campaign lasted from at least October 2016 to October 2022.

The plot involved a tactic known as 'spear phishing', which uses targeted and personalized emails in an attempt to deceive targets.

Prosecutors say the hackers often used “spoofed” email accounts designed to resemble the personal and work email accounts of the group's targets.

The hackers are also accused of using emails designed to appear from email service providers, indicating that the targets have violated the terms of service.

The emails contained malicious links that led them to hacker-controlled websites, where they were asked to enter their login credentials, thinking it was the service provider's legitimate website.

“The FBI will not stand idly by while Russia continues to pursue this type of targeted malicious activity,” said Assistant Director Bryan Vorndran of the FBI's Cyber ​​Division.

“Russian interference through malign foreign influence campaigns is deplorable, and we will not tolerate it in the United States or against our foreign partners.

Centrum 18 is one of two known cyber espionage units within the FSB, the Russian intelligence and law enforcement agency that succeeded the Soviet KGB.

The group is said to be committed to combating cybercrime, but Western officials say it actually focuses on carrying out attacks on opponents.

The US indictment alleges that FSB officer Peretyatko oversaw the campaign using IT infrastructure built and operated by Korinets in Syktyvkar, Russia.

In addition to the indictment, the US and Britain announced sanctions against both Peretyatko and Korinets for their roles in the campaign.

Both men are at large and are believed to be in Russia. The US State Department has announced a $10 million reward for information leading to their arrest.

Korinets, one of two sanctioned FSB hackers, told Reuters in a telephone interview on Thursday that he was not aware of any sanctions against him, or why such measures would have been taken.

A Western government official told Reuters that the Callisto Group is still very active and part of Moscow's “Active Measures” – a Cold War term used by the Soviet Union to describe covert political disinformation campaigns.

'Because of Britain's support for Ukraine, we are in a state of 'grey warfare' with Russia; and the Russians will use all means at their disposal to attack British interests unless there is open conflict,” Dearlove, the former head of Britain's Secret Intelligence Service (MI6), told Reuters.

Many of the group's targets in Britain have been outspokenly critical of Russia and its war in Ukraine.

Stewart McDonald, a British lawmaker who has publicly supported Kiev and spoken out against Russian interference for years, said in February that the group had hacked his private emails.

“Russia's military intelligence service, the GRU, has received most of the attention when it comes to election-related activities, which is only natural given their history of serious incidents in the United States and France, but this actor is someone to watch closely keep an eye on. elections are near,” said John Hultquist, head of threat analysis at Google's Mandiant Intelligence.

Britain's Foreign Office said Thursday that it was Callisto Group/Cold River that leaked secret British-American trade documents ahead of the 2019 British election.

“The FSB clearly has an interest in political interference, and hacked emails are a powerful tool,” Hultquist said.