Russia-linked threat actors have launched a targeted cyber espionage campaign against Kazakhstan, aiming to gather economic and political intelligence in Central Asia. The campaign has been attributed to a group closely connected with APT28, a nation-state entity affiliated with Russia’s Main Intelligence Directorate (GRU). The intrusion set, often referred to by numerous aliases including Fancy Bear, Sofacy, and ITG05, has been identified as UAC-0063.
The Computer Emergency Response Team of Ukraine (CERT-UA) first reported UAC-0063’s operations in early 2023. The group utilizes various malware families, such as HATVIBE, CHERRYSPY, and STILLARCH, exclusively in its attacks. Recent activities point to a broader focus, including targets in Central Asia, East Asia, and Europe, as documented by Recorded Future’s Insikt Group, who named the activity cluster TAG-110.
French cybersecurity company Sekoia noted that UAC-0063’s campaign primarily aims to collect intelligence from sectors including government, NGOs, academia, energy, and defense, with a geographical focus on Ukraine, Central Asia, and Eastern Europe. The latest attacks involved sophisticated spear-phishing techniques using legitimate-looking Microsoft Office documents purportedly from Kazakhstan’s Ministry of Foreign Affairs. These documents activate a multi-stage infection chain, dubbed Double-Tap, which deploys the HATVIBE malware.
Russia-linked espionage campaign targets Kazakhstan
Researchers disclosed that the malicious documents used in the attacks contain macros designed to create a secondary, hidden document in the victims’ temporary files directory. This secondary document then opens another malicious HTML Application (HTA) file embedding a VBS backdoor named HATVIBE.
Acting as a loader, HATVIBE fetches additional VBS modules from a remote server, ultimately leading to the deployment of a Python-based backdoor called CHERRYSPY. The sophisticated Double-Tap chain uses several techniques to avoid detection, such as storing macro code in settings.xml and creating scheduled tasks without invoking schtasks.exe. According to Sekoia, these tactics and the use of HATVIBE strengthen the linkage between UAC-0063 and APT28, supporting an attribution to the Russian group with medium confidence.
In a related development, Recorded Future has revealed that several countries in Central Asia and Latin America have acquired Russia’s SORM (System for Operative Investigative Activities) wiretapping technology from multiple Russian providers. Countries like Belarus, Kazakhstan, Kyrgyzstan, Uzbekistan, Cuba, and Nicaragua are reportedly using this technology, which allows for wide-ranging interception of communications. The technology has legitimate uses but has also been misused for political repression and surveillance of journalists and activists without appropriate oversight.
The export and use of Russian surveillance technologies in these regions likely bolster Moscow’s influence, expanding its reach over its perceived traditional sphere of influence. This campaign underscores the ongoing threat of cyber espionage and the strategic importance of robust cybersecurity measures to protect sensitive information and national security.
