The United Kingdom and the United States denounced on Thursday a long-term operation by the Russian cyberespionage group Callisto. Two Russians were even implicated. Their common point: they are linked to Center 18, a unit of the FSB, Russian intelligence, supposed to be specialized in surveillance of the population.
Two new names have just been added to the growing list of Russian hackers and cyberspies who threaten the West. Andreï Korinets and Ruslan Peretyatko have been accused by the United Kingdom and the United States of being the main architects of a vast campaign of influence and data hacking carried out since 2015 on both sides of the Atlantic. And behind them looms the specter of a very specific unit of the FSB, one of the Russian intelligence agencies: Center 18 to which these two characters seem linked.
In the United States, the Department of Justice accuses Andreï Korinets and Ruslan Petetyatko of having hacked the email accounts of employees of the Pentagon, the Ministry of Foreign Affairs, the Ministry of Energy, as well as private companies in the sector of the defense.
Spying on ex-MI6 boss
But it is in the United Kingdom that this duo seems to have been most active. He has orchestrated digital surveillance since 2015 of “multiple parliamentarians from several parties, journalists, NGOs, academics and other personalities who play a key role in the democratic process”, say the British authorities.
This operation also made it possible to “hack the documents of a trade agreement between the United States and the United Kingdom which had been leaked before the British general election in 2019”, we can read in the press release of the British government.
They are also accused of having managed to break into the mailbox of Richard Dearlove, the former boss of MI6, the British foreign intelligence service, and of having stolen the private communications of this former spy chief. A theft which resulted in the disclosure in 2022 of Richard Dearlove’s discussions with a pro-Brexit pressure group which wanted to push London to adopt an even harsher tone with the European Union, underlines the Guardian.
Quite a wild card for two individuals who seem to be operating from the depths of Russia. Ruslan Petetyatko is an FSB agent stationed in Syktyvkar, a town in the Komi Republic in northeastern Russia, located more than 1,000 km from Moscow. His accomplice, Andreï Korinets, operates in the same city but not directly for the FSB. The American authorities suspect him of being a more or less influential figure in the local hacker community who would have been recruited by the intelligence services.
“This is a classic case of Russian intelligence agencies using an outside intermediary to do this kind of work,” said John Fokker, head of threat intelligence at cybersecurity firm Trellix’s research center. .
Callisto, Star Blizzard or Seaborgium
Already in 2017, Center 18 of the FSB had hired Russian cybercriminals to hack and steal the accounts of 500 million Yahoo email users, according to American authorities.
The common point between all these operations: the intrusion into the mailboxes of their targets. This is one of the specialties of Center 18, which has a team specialized in this task, known by multiple nicknames: Callisto group, Star Blizzard or even Seaborgium.
Center 18 is one of the two main offices of the famous Russian intelligence agency to carry out cyber operations. The other is Center 16 “which is more specialized in the interception of electronic signals, like those from satellites for example,” notes Maxime Arquillère, cybersecurity analyst for the company Sekoia.io.
Historically, Center 18 was “established around ten years ago to protect Russian critical infrastructure against the threats of cyberattacks and informational threats”, underlines Olesya Tkacheva, specialist in Russian cybersecurity issues at the Brussels School of Governance .
It is therefore a unit supposed to deal with internal security issues above all. It is even “a central pillar of the Russian cyber surveillance system because it is Center 18 which ensures that telecommunications companies install the device which allows Moscow to spy on the online activities of its citizens”, notes Olesya Tkacheva .
And yet, the Callisto group from Center 18 has developed real expertise beyond borders in “stealing data from email accounts in order to be able to rely on it and possibly distort it to construct narratives that go in the direction of interests of the Russian state”, summarizes Maxime Arquillère.
Targeting NGOs that document war crimes
This is what these cyber spies did with the former boss of British MI6. “Sowing chaos within the administration of the main European ally of the United States – enemy number 1 of Moscow – fits perfectly with the objectives of the Russian regime,” underlines Gérôme Billois, cybersecurity expert at the consultancy firm Wavestone.
This same branch of the FSB is also suspected of having carried out a cyberespionage campaign for a year against four NGOs which collect evidence of war crimes in conflict zones… such as in Ukraine. “It’s probably a way of allowing Moscow to prepare a response,” said Maxime Arquillère.
Each time, these Russian agents take their time. They get to know the targets, contact them pretending to be an acquaintance and establish a relationship of trust. Finally, they send them an email containing a virus allowing them to enter their mailbox. “They do not use very sophisticated techniques, but they demonstrate great determination and an excellent ability to identify their targets,” underlines Gérôme Billois.
However, they are not the only ones in this niche. The GRU – Russian military intelligence – has its own team of cyber spies, called APT28 (or Fancy Bear). Better known than the little hands of Center 18, these are the hackers who notably hacked the servers of the American Democratic Party as part of the Russian influence operation during the 2016 presidential campaign in the United States.
In this case, why is Center 18 treading on the grounds of the illustrious APT28 group, when it surely already has enough to do monitoring opponents and muzzling information around the war in Ukraine ?
“It is possible that these FSB spies have, through their internal surveillance mission, better knowledge of the network of local cybercriminals whom they can then recruit to carry out operations externally,” says John Fokker.
There may also be power struggles between services “to curry favor with Vladimir Putin, especially less than a year before the next presidential election,” notes Olesya Tkacheva. Finally, the growing importance of international operations for the Callisto group of Center 18 may also be a reflection of “the increase in Russian cyberattacks against NATO countries, which pushed the Kremlin to broaden the scope of action from the Center 18”, adds the expert from the Belgian university.
With important events in 2024 – the American presidential election and the European elections – specialists in cyberespionage for political purposes will probably increase their operations, assures the Guardian. Center 18 has proven with its operation in the United Kingdom that it knows how to do this.
“Obviously there are going to be cyberoperations during these meetings because it is in Moscow’s interest,” explains Gérôme Billois. But we should not expect a repeat of the 2016 campaigns to influence the American election, this expert wants to believe. The world has changed in the meantime, and techniques have become more refined, both on the part of the attackers and those who want to protect themselves against them. In other words, no one yet knows what form this confrontation of spies which is likely to mark next year will take.