Threat Intelligence Tarot
swords · 8
Russia (FSB Centre 18)
G1004★★★★★
risk 3/5
✦ The Confessor ✦
Callisto Group
SEABORGIUM · Coldriver · Star Blizzard · TA446
UK governmentNATO countriesJournalistsThink tanksFormer intelligence officials
Active since ~2015 · Credential harvesting, Western political intelligence, Dossier building on targets
It builds a persona - a credible academic, a conference organizer, a think-tank researcher. It befriends. It follows for months. Then it sends a Google Docs link that steals the password of someone who thought they were among colleagues. The Confessor never forces. It is patient enough to be trusted first.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆UK Conservative Party donors and MPs credential harvest (2023)
- ◆Former MI6 chief targeted via fake conference invitations
- ◆US DoJ indictments of FSB officers (2023)
- ◆Persistent targeting of UK-US policy communities over 8+ years
Defenses
- ▸Phishing-resistant MFA for email and cloud accountsNIST SP 800-63B ↗
- ▸Security awareness for targeted spearphishing and pretextingNIST SP 800-50 ↗
- ▸Email authentication (DMARC, SPF, DKIM)CIS Control 9 ↗
- ▸Verification procedures for unexpected document sharing requestsNIST CSF: PR.AT ↗
Reversed: Their Weakness
The Callisto Group's reliance on persona-building and long-term relationship cultivation makes it slow. When exposed, the entire social infrastructure - the fake personas, the established trust - collapses simultaneously.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.