As uncovered by enterprise security company Positive Technologies, the Calypso APT (or Advanced Persistent Threat) group has been active since 2016 and has targeted state institutions in India, Brazil, Kazakhstan, Russia, Thailand and Turkey.
The attacks worked by hacking the perimeter of an organization’s systems, then using special utilities and malware to gain access to the internal network. Once inside, the hackers could move through the system in one of two ways: either by exploiting Remote Code Execution vulnerabilities or using stolen credentials.
With this method, the attack group was able to successfully damage government organizations in every country they targeted. Positive Technologies attributed the group’s success to its use of widely available public tools: “These attacks succeeded largely because most of the utilities the group uses to move inside the network are widely used by the specialists everywhere for network administration. The group used publicly available utilities and exploit tools, such as SysInternals, Mimikatz, EternalBlue and EternalRomance.”
Positive Technologies believes the Calypso APT group to be Chinese-speaking due to its use of PlugX malware, a favorite tool among Chinese groups, as well as the Byeby trojan. In addition, it uncovered some real IP addresses of the hackers which were linked to Chinese providers.
More details about the specifics of the attacks can be found in the Calypso APT report.