Russia-linked threat actors have been attributed to an ongoing cyber espionage campaign targeting Kazakhstan as part of the Kremlin’s efforts to gather economic and political intelligence in Central Asia.
The campaign has been assessed to be the work of an intrusion set dubbed UAC-0063, which likely shares overlap with APT28, a nation-state group affiliated with Russia’s General Staff Main Intelligence Directorate (GRU). It’s also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.
UAC-0063 was first documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in early 2023, detailing its attacks on government entities using malware families tracked as HATVIBE, CHERRYSPY, and STILLARCH (aka DownEx). It’s worth pointing out that the use of these malware strains has been exclusive to this group.
Subsequent campaigns have been observed setting their sights on organizations in Central Asia, East Asia, and Europe, according to Recorded Future’s Insikt Group, which assigned the activity cluster the name TAG-110.
“UAC-0063 targeting suggests a focus on intelligence collection in sectors such as government, including diplomacy, NGOs, academia, energy, and defence, with a geographic focus on Ukraine, Central Asia, and Eastern Europe,” French cybersecurity company Sekoia said in a new analysis.
The latest set of attacks involves using legitimate Microsoft Office documents originating from the Ministry of Foreign Affairs of the Republic of Kazakhstan as spear-phishing lures to activate a multi-stage infection chain dubbed Double-Tap that drops the HATVIBE malware. It’s currently not known how these documents were procured, although it’s possible they were exfiltrated in a prior campaign.
Specifically, the documents are laced with a malicious macro that, when run by the victims, is engineered to create a second blank document in the “C:Users[USER]AppDataLocalTemp” location.
“This second document is automatically opened in a hidden Word instance by the initial macro, to drop and execute a malicious HTA (HTML Application) file embedding a VBS [Visual Basic Script] backdoor nicknamed ‘HATVIBE,'” Sekoia researchers said.
HATVIBE operates as a loader, receiving next-stage VBS modules for execution from a remote server, which ultimately paves the way for a sophisticated Python backdoor named CHERRYSPY. The HTA file containing HATVIBE is designed to run for four minutes by launching mshta.exe.
“What makes this Double-Tap infection chain quite unique is that it employs many tricks to bypass security solutions such as storing the real malicious macro code in the settings.xml file and creating a scheduled task without spawning schtasks.exe for the second document or using, for the first document, an anti-emulation trick aimed to see if the execution time has not been altered, otherwise the macro is stopped,” the researchers said.
Sekoia said the HATVIBE attack sequence demonstrates targeting and technical overlaps with APT28-related Zebrocy campaigns, allowing it to attribute the UAC-0063 cluster to the Russian hacking group with medium confidence.
“The theme of spear-phishing weaponized documents indicates a cyber espionage campaign focused on collecting strategic intelligence on diplomatic relations between Central Asia states, especially on Kazakhstan’s foreign relations, by Russian intelligence,” the company added.
Russia’s SORM platform Sold in Central Asia and Latin America
The development comes as Recorded Future revealed that several countries in Central Asia and Latin America have purchased the System for Operative Investigative Activities (SORM) wiretapping technology from at least eight Russian providers such as Citadel, Norsi-Trans, and Protei, potentially allowing Russian intelligence agencies to intercept communications.
Russia’s SORM is an electronic surveillance apparatus capable of intercepting a wide range of internet and telecommunications traffic by authorities without the knowledge of the service providers themselves. It enables the monitoring of landline and mobile communications, as well as internet traffic, Wi-Fi, and social media, all of which can be stored in a searchable database.
It’s been assessed that the former Soviet territories of Belarus, Kazakhstan, Kyrgyzstan, and Uzbekistan, and the Latin American nations of Cuba and Nicaragua, have very likely acquired the technology to wiretap citizens.
“While these systems have legitimate security applications, the governments […] have a history of misusing surveillance capabilities, including repression of political opposition, journalists, and activists, without effective or independent oversight,” Insikt Group said.
“More broadly, the export of Russian surveillance technologies will likely continue to offer Moscow opportunities to expand its influence, particularly in areas it deems to be under its traditional sphere of the ‘near abroad.'”
