Whether it's the CIA, or likely Russian hackers, stealing malware from other people happens more than you might think. Now, there is another notable
Now, there is another notable example of attackers re-purposing hacking tools made by someone else for their own gains. A hacking unit dubbed the Callisto Group allegedly used malware stolen from Italian surveillance company Hacking Team and subsequently dumped online, according to a report from cybersecurity firm F-Secure published on Thursday.
The evidence points “towards this being a group that grabbed the leaked tools, because it was the easiest way,” Sean Sullivan, security advisor at F-Secure told Motherboard in a Twitter direct message.
According to the report, the Callisto Group is particularly interested in gathering intelligence on European foreign and security policy. Since at least late 2015, the group has targeted European military personnel with phishing emails, and government officials, think tanks, and journalists with malicious attachments.
Although the hacking attempts with malware don’t seem to have actually been successful, where that malware ultimately came from is interesting.
“In all known malicious attachments, the final payload was a variant of the ‘Scout’ tool from the Hacking Team Remote Control System (RCS) Galileo hacking platform,” the report reads.
Hacking Team is an Italian surveillance company that sells malware exclusively to law enforcement and intelligence agencies. It’s “Scout” tool is usually the first step in an attack, designed to gain access to the target machine, gather basic system information, and likely download additional malware modules.
In 2015, a hacker targeted the company and released a treasure-trove of internal Hacking Team files online, including source code for the firm’s malware, and a number of files that would install it.
F-Secure believes the Callisto Group used the latter to setup a version of RCS for its own hacking campaign. As the company points out, there are plenty of tutorials online for how to get an instance of RCS up and running with the software and code available. (Motherboard also found a step-by-step guide on a popular Russian cybercrime forum).
“RCS has an embedded ‘customer ID’, and the customer ID from the Callisto samples matches the ‘Hacking Team field engineer demo’ ID which matches the ID that you’ll get if you use the leaked builders,” Sullivan said. And while the Callisto Group was using RCS, other actors were already deploying more recent, and presumably purchased versions of the software.
Naturally, this isn’t the first time someone has pinched a piece of malware and used it themselves. In February, malware allegedly used by the Russian hacking group that targeted the US Democratic National Committee found its way online. According to a security researcher, a large part of that malware was copied and pasted from Hacking Team’s Mac software. (F-Secure says the Callisto Group hasn’t been identified before, so it’s probably not the same hackers).
The CIA allegedly borrows code from public malware samples so the agency doesn’t have to build, say, a hard-drive wiping module or a keylogger from scratch.
And even if attackers don’t steal tools themselves, government and criminal hackers sometimes end up using some of the same specific exploits. On Wednesday, Motherboard reported that someone had used a Microsoft Word exploit to deliver hacking tools sold exclusively to governments, while criminals had also recently deployed the same attack for spreading their own malware.
Who is actually behind the Callisto Group is less clear. F-Secure say the targets may suggest a nation state with interest in Eastern Europe and the South Caucasus, but the company also found links between the group’s infrastructure and websites selling controlled substances. That could imply the hackers are criminal rather than strictly governmental in nature.
The BBC reported that the Callisto Group had targeted the UK’s Foreign and Commonwealth Office.