Reporters Without Borders (RSF) has discovered, after a months-long investigation conducted with technical support from the French cybersecurity company Sekoia, that it was targeted by a cyberattack orchestrated by a group known as Callisto, reportedly close to Kremlin intelligence services. The attack – a phishing attempt – did not succeed. RSF is regularly targeted by digital operations against its IT systems and its reputation due to the NGO’s work in defence of a free press and the right to reliable information in Russia.
In March 2025, RSF received a malicious email. The attacker, impersonating a trusted contact, invited a staff member to open an attachment that was, in fact, missing. This technique aims to elicit a reply from the e-mail recipient who requests the “missing” file. Then, the attacker builds credibility before sending an infected document or a malicious link. In this case, the reply arrived in English even though the initial email was written in French. That inconsistency aroused the suspicion of the targeted user, who reported it to the RSF cybersecurity team.
In the same month of the attack, RSF asked Sekoia to conduct an in‑depth investigation, and on Wednesday, 3 December 2025, it published a detailed report on the operation. According to Sekoia, the cyber-espionage group Callisto (also known as UNC4057, Star Blizzard and ColdRiver), which multiple intelligence agencies assess to be close to Russia’s Federal Security Service (FSB), was behind this operation. Sekoia qualifies Callisto as an advanced persistent threat (APT): an attacker that maintains a covert and durable presence in a victim’s information system.
“This attack is not a matter of chance. RSF, which defends global press freedom and actively assists Russian journalists fleeing their country, is a regular target of the Kremlin and the constellation surrounding Vladimir Putin’s regime. The March 2025 attack is just one example among several targeted operations against the organisation that have taken a very concrete, political turn in recent months; the NGO was even designated an ‘undesirable organisation’ in Russia in August 2025.
“In the face of cyberthreats, RSF benefits from cutting‑edge technical solutions as well as external expertise capable of detecting and characterising the cyberoperations that target us. Improving our cyberdefence capabilities and raising users’ awareness of the weak signals that foreshadow operations that could be harmful is a daily challenge.
RSF is regularly targeted by digital attacks initiated or actively amplified by Russian services or actors who propagate their narratives. In March 2025, the organisation denounced a disinformation campaign based on doctored videos falsely attributing statements to its leadership. In 2024, RSF filed a complaint against the platform X after repeated reports of disinformation content targeting the organisation went unanswered by the platform’s moderation. One such piece of content — a fake video mimicking the British international news channel BBC that cited a fabricated RSF “study” on supposed Nazi sympathies among Ukrainian soldiers — was shared by Russian authorities and relayed by pro‑Kremlin influencers.
