{ "id": "7a7109bd-2627-4eb9-8124-0408ebd92732", "created_at": "2026-04-06T00:11:24.790261Z", "updated_at": "2026-04-10T13:12:16.809503Z", "deleted_at": null, "sha1_hash": "0b647244098201d3d5c734179accc730c3a7c664", "title": "Two Russian Nationals Working with Russia’s Federal Security Service Charged with Global Computer Intrusion Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61032, "plain_text": "Two Russian Nationals Working with Russia’s Federal Security\r\nService Charged with Global Computer Intrusion Campaign\r\nPublished: 2023-12-07 · Archived: 2026-04-05 13:50:47 UTC\r\nA federal grand jury in San Francisco returned an indictment on Tuesday charging two individuals with a\r\ncampaign to hack into computer networks in the United States, the United Kingdom, other North Atlantic Treaty\r\nOrganization member countries and Ukraine, all on behalf of the Russian government. \r\nAccording to court documents, Ruslan Aleksandrovich Peretyatko (Перетятько Руслан Александрович), an\r\nofficer in Russia’s Federal Security Service (FSB) Center 18, Andrey Stanislavovich Korinets (Коринец Андрей\r\nСтаниславович) and other unindicted conspirators employed a sophisticated spear phishing campaign to gain\r\nunauthorized, persistent access (i.e., “hack”) into victims’ computers and email accounts.\r\n“The Russian government continues to target the critical networks of the United States and our partners, as\r\nhighlighted by the indictment unsealed today,” said Assistant Attorney General Matthew G. Olsen of the Justice\r\nDepartment’s National Security Division. “Through this malign influence activity directed at the democratic\r\nprocesses of the United Kingdom, Russia again demonstrates its commitment to using weaponized campaigns of\r\ncyber espionage against such networks in unacceptable ways. The Department of Justice will respond to such\r\nbehavior with an even more determined commitment to disrupt those activities and to hold accountable the\r\nindividuals responsible.”\r\n“Today’s indictment is part of a coordinated international response to send a message to the conspirators that the\r\nwhole of the United States government stands together and with our partners internationally to identify and disrupt\r\ncyber espionage actors, particularly those seeking to obtain government information and attempting to create\r\nchaos in democratic processes,” said U.S. Attorney Ismail J. Ramsey for the Northern District of California. “We\r\nare grateful to all of our partners for their assistance in addressing these threats posed by the FSB’s action in the\r\nNorthern District of California, across the United States and around the world.”   \r\n“The FBI will not stand idly by as Russia continues to perpetuate this type of targeted malicious activity,” said\r\nAssistant Director Bryan Vorndran of the FBI’s Cyber Division. “Russian interference through malign foreign\r\ninfluence campaigns is deplorable, and we will not tolerate it in the United States or directed against our foreign\r\npartners. The FBI is dedicated to combating this pervasive threat and will tirelessly seek to prevent and disrupt\r\nthese criminal acts carried out by Russia.”\r\nThe indictment, which was unsealed today, alleges the conspiracy targeted current and former employees of the\r\nU.S. Intelligence Community, Department of Defense, Department of State, defense contractors, and Department\r\nof Energy facilities between at least October 2016 and October 2022. In addition, the indictment alleges the\r\nconspirators – known publicly by the name “Callisto Group” – targeted military and government officials, think\r\ntank researchers and staff, and journalists in the United Kingdom and elsewhere, and that information from certain\r\nof these targeted accounts was leaked to the press in Russia and the United Kingdom in advance of U.K. elections\r\nin 2019. \r\nhttps://www.justice.gov/opa/pr/two-russian-nationals-working-russias-federal-security-service-charged-global-computer\r\nPage 1 of 4\n\nAs a common example, the conspirators used “spoofed” email accounts designed to look like personal and work-related email accounts of the group’s targets. The conspirators allegedly also sent sophisticated looking emails that\r\nappeared to be from email providers suggesting users had violated terms of service. These messages were\r\ndesigned to trick victims into providing their email account credentials to false login prompts. Once the\r\nconspirators fraudulently obtained the victim’s credentials, they were able to use those credentials to access the\r\nvictims’ email accounts at will.\r\nIn addition to the indictment, the Department of the Treasury’s Office of Foreign Assets Control (OFAC)\r\nannounced that it has sanctioned both Peretyatko and Korinets for their roles in malicious cyber-enabled activity.\r\nMoreover, the United Kingdom has issued sanctions\r\nof its own, and the U.S. Department of State announced rewards of up to $10 million for information leading to\r\nthe identification or location of Peretyatko\r\nhttps://www.justice.gov/opa/pr/two-russian-nationals-working-russias-federal-security-service-charged-global-computer\r\nPage 2 of 4\n\nand Korinets\r\n, as well as their conspirators.\r\nIn addition to the name “Callisto Group,” FSB Center 18 is known by cybersecurity investigators as “Dancing\r\nSalome” by Kaspersky Labs, “STAR BLIZZARD” by Microsoft Threat Intelligence Center and “COLDRIVER”\r\nby Google’s Threat Analysis Group.\r\nThe defendants are each charged with one count of conspiracy to commit an offense against the United States,\r\nnamely, computer fraud, which carries a maximum sentence of five years in prison for PERETYATKO, and up to\r\n10 years for KORINETS. The maximum potential sentences in this case are prescribed by Congress and are\r\nprovided here for informational purposes only, as any sentencings of the defendants will be determined by the\r\nassigned judge.\r\nhttps://www.justice.gov/opa/pr/two-russian-nationals-working-russias-federal-security-service-charged-global-computer\r\nPage 3 of 4\n\nThe investigation was conducted jointly by the U.S. Attorney’s Office for the Northern District of California, the\r\nNational Security Cyber Section of the Justice Department’s National Security Division and the FBI San\r\nFrancisco Field Office. The FBI’s Cyber Division, Cyber Assistant Legal Attachés, and Legal Attachés in\r\ncountries around the world provided essential support. Numerous victims cooperated and provided valuable\r\nassistance in the investigation.\r\nAn indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a\r\nreasonable doubt in a court of law.\r\nNote: This release has been updated to reflect the correct criminal offense and statutory penalties.\r\nSource: https://www.justice.gov/opa/pr/two-russian-nationals-working-russias-federal-security-service-charged-global-computer\r\nhttps://www.justice.gov/opa/pr/two-russian-nationals-working-russias-federal-security-service-charged-global-computer\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.justice.gov/opa/pr/two-russian-nationals-working-russias-federal-security-service-charged-global-computer" ], "report_names": [ "two-russian-nationals-working-russias-federal-security-service-charged-global-computer" ], "threat_actors": [ { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "8b61d214-62b2-455b-8eb4-fb0594763787", "created_at": "2023-01-06T13:46:38.502064Z", "updated_at": "2026-04-10T02:00:03.002552Z", "deleted_at": null, "main_name": "Dancing Salome", "aliases": [], "source_name": "MISPGALAXY:Dancing Salome", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "5e7c75c6-097f-4d80-8c98-73485fe2a729", "created_at": "2022-10-25T16:07:24.386715Z", "updated_at": "2026-04-10T02:00:04.970172Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Amethyst Rain", "Dancing Salome", "DeftTorero", "G0123", "VolcanicTimber" ], "source_name": "ETDA:Volatile Cedar", "tools": [ "ASPXSpy", "ASPXTool", "Adminer", "DirBuster", "GoBuster", "JuicyPotato", "RottenPotato", "SharPyShell" ], "source_id": "ETDA", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434284, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b647244098201d3d5c734179accc730c3a7c664.pdf", "text": "https://archive.orkl.eu/0b647244098201d3d5c734179accc730c3a7c664.txt", "img": "https://archive.orkl.eu/0b647244098201d3d5c734179accc730c3a7c664.jpg" } }