Russian-backed threat actors, identified as Calisto, are employing sophisticated phishing tactics to target NATO research sectors and strategic organizations. The intrusion set, linked to Russia’s FSB Center 18 for Information Security, has broadened its focus to include NGOs and think tanks, particularly in countries supporting Ukraine and Eastern European nations. These campaigns utilize a method known as ClickFix, manipulating users into compromising their security through carefully crafted spear-phishing emails that impersonate trusted sources.
Sekoia security analysts uncovered these coordinated attacks, which involve a multi-stage process designed for credibility and operational security. The attackers initially send decoy emails, feigning missing attachments or corrupted PDF files to prompt victims into requesting resends. Once the victim engages, the hackers deliver malicious payloads via redirected links hosted on compromised websites, utilizing sophisticated technical infrastructure to execute their attacks and maintain deception.
Calisto Hackers Leverage ClickFix for NATO Research Targets
The ClickFix methodology, as observed in these recent campaigns, relies heavily on social engineering to exploit user behavior. Calisto hackers deploy PHP scripts on compromised servers, which act as phishing redirectors. These scripts accept token parameters through GET requests, masquerading as standard tracking codes. This allows for the seamless redirection of unsuspecting users to credential harvesting portals.
A custom phishing kit, hosted on account.simpleasip[.]org, specifically targets ProtonMail accounts. This kit employs an Adversary-in-the-Middle technique to capture credentials. Malicious JavaScript code is injected into the compromised interface, which maintains forced cursor focus on password fields at regular intervals, preventing users from navigating away from the fake login page.
When a user enters their credentials, the injected code communicates with attacker-controlled APIs located on scorelikelygateway.simLeasip[.]org. This process relays the authentication data to the attackers while simultaneously presenting seemingly legitimate CAPTCHA and two-factor authentication prompts to maintain the illusion of a normal login process. This sophisticated approach aims to extract sensitive information with a high degree of success.
Infection Mechanism and Persistence Tactics
Following the successful capture of user credentials, the phishing kit seeks to fetch valid endpoints from ProtonMail’s legitimate infrastructure. This action is taken to maintain the appearance of a normal user interaction and avoid immediate detection. The attackers also utilize proxy services to mask their origin, with logs indicating access from an IP address associated with the Big Mama Proxy service.
Infrastructure analysis by Sekoia indicates a persistent evolution in Calisto’s attack patterns. The group registers domains through various registrars, having shifted from Regway to Namecheap’s authoritative servers. This allows threat intelligence analysts to track and correlate different attack campaigns, though identifying precise attribution remains challenging at times.
Despite ongoing public disclosures of their activities, Calisto continues to expand its phishing operations, with a particular focus on individuals and organizations in countries that support Ukraine. The primary targets remain consistent with Russian intelligence priorities, including those involved in humanitarian work, press freedom advocacy, and strategic research. The sustained targeting of these sectors highlights the ongoing geopolitical cyber espionage efforts targeting Western institutions and their allies.
The continuous adaptation and expansion of Calisto’s cyber espionage operations underscore the persistent threat posed by nation-state-backed hacking groups. Organizations are advised to bolster their cybersecurity defenses, implement robust employee training programs on identifying and reporting phishing attempts, and maintain vigilance against sophisticated social engineering tactics. The evolution of these attacks suggests that such campaigns will likely continue, necessitating ongoing monitoring and proactive defense strategies from cybersecurity professionals and the institutions they protect.