
A sophisticated cyber espionage operation targeting Kazakhstan has been linked to Russia-affiliated threat actors, specifically UAC-0063, which shares similarities with the notorious APT28 (also known as Fancy Bear) group connected to Russia’s GRU intelligence agency.
The Campaign’s Key Elements:
– Uses spear-phishing attacks with legitimate Kazakhstan Ministry of Foreign Affairs documents
– Implements a complex “Double-Tap” infection chain
– Deploys specialized malware including HATVIBE, CHERRYSPY, and STILLARCH
Technical Operations:
The attack begins with malicious macros embedded in Microsoft Office documents, creating a hidden secondary document that deploys HATVIBE, a loader that facilitates the installation of CHERRYSPY, an advanced Python backdoor.
Security researchers at Sekoia identified sophisticated evasion techniques, including:
– Macro code concealment in settings.xml
– Stealth scheduled task creation
– Anti-emulation timing checks
SORM Surveillance Technology Expansion:
Parallel to these cyber operations, Russian surveillance technology (SORM) has been sold to various nations in Central Asia and Latin America, including:
– Belarus, Kazakhstan, Kyrgyzstan, Uzbekistan
– Cuba and Nicaragua
SORM capabilities include:
– Interception of telecommunications
– Internet traffic monitoring
– Social media surveillance
– Data storage and search functionality
This dual approach of cyber espionage and surveillance technology deployment suggests a comprehensive strategy by Russia to maintain influence and gather intelligence in regions of strategic interest.