Russian hackers with ties to the country’s intelligence services have launched a cyber espionage campaign targeting government entities in Kazakhstan. The group, known as UAC-0063 or TAG-110, is believed to have links to APT28, also known as Fancy Bear, which is affiliated with Russia’s General Staff Main Intelligence Directorate (GRU). The attacks, first detailed by the Computer Emergency Response Team of Ukraine (CERT-UA) in early 2023, involve the use of malware families such as HATVIBE, CHERRYSPY, and STILLARCH.
These malware strains have been used exclusively by UAC-0063. Recent attacks have used legitimate Microsoft Office documents from Kazakhstan’s Ministry of Foreign Affairs as spear-phishing lures. These documents contain malicious macros that initiate a multi-stage infection chain, ultimately deploying the HATVIBE malware.
HATVIBE acts as a loader, receiving additional modules from a remote server and leading to the execution of a sophisticated Python backdoor named CHERRYSPY.
Russian hacking targets Kazakh ministries
The attack sequence employs various evasion techniques to bypass security solutions.
According to researchers at French cybersecurity company Sekoia, the targeting and technical overlaps with APT28-related activities suggest that UAC-0063 is likely attributed to the Russian hacking group. The use of weaponized documents indicates a focus on collecting strategic intelligence regarding Kazakhstan’s diplomatic relations, particularly with Russia. This development comes as several countries in Central Asia and Latin America have reportedly acquired Russia’s System for Operative Investigative Activities (SORM) wiretapping technology.
While this technology can have legitimate security applications, there are concerns over its potential misuse for repressing political opposition, journalists, and activists without effective oversight. As Kazakhstan seeks to broaden its diplomatic relations and maintain a balanced stance amidst the Ukraine-Russia conflict, it has become a prime target for cyber espionage. The country’s central position in Asia and its role as a strategic trade bridge between China and Europe further highlight its importance in the region.
