Threat actors linked to Russia have been linked to a cyber espionage campaign targeting organizations in Central Asia, East Asia and Europe.
Insikt Group Recorded Future, which named the cluster of activity as TAG-110, said it matched a threat group tracked by Ukraine’s Emergency Response Team (CERT-UA) as UAC-0063, which in turn matched APT28. The hacking team has been active since at least 2021.
“Using the custom tools of the HATVIBE and CHERRYSPY malware, TAG-110 primarily attacks government organizations, human rights groups, and educational institutions,” the cybersecurity firm reported. said in a report on Thursday. “HATVIBE functions as a bootloader to deploy CHERRYSPY, a Python backdoor used for data theft and espionage.”
The use of TAG-110 HATVIBE and CHERRYSPY was documented for the first time CERT-UA at the end of May 2023 in connection with a cyber attack on the state bodies of Ukraine. Both families of malware were present seen again more than a year later in a raid on an unnamed research facility in the country.
Since then, 62 unique victims have been identified in eleven countries, with notable incidents in Tajikistan, Kyrgyzstan, Kazakhstan, Turkmenistan, and Uzbekistan. intelligence reporting on Russia’s geopolitical goals in the region.
A smaller number of victims were also found in Armenia, China, Hungary, India, Greece and Ukraine.
Attack chains include exploiting security flaws in public web applications (such as Rejetto File Server) and phishing emails as the initial access vector to deny HATVIBE, a custom HTML application loader that serves as a conduit to deploy the CHERRYSPY backdoor for data collection and exfiltration .
“TAG-110’s efforts are likely part of a broader Russian strategy to gather intelligence on geopolitical events and maintain influence in post-Soviet countries,” Recorded Future said. “These regions are important to Moscow due to strained relations following Russia’s invasion of Ukraine.”
It is believed that Russia has also increased its own sabotage operations on Europe’s critical infrastructure following a full-scale invasion of Ukraine in February 2022, targeting Estonia, Finland, Latvia, Lithuania, Norway and Poland to destabilize NATO allies and end their support for Ukraine.
“These covert actions are consistent with Russia’s broader hybrid warfare strategy aimed at destabilizing NATO countries, weakening their military capabilities and straining political alliances,” Recorded Future saiddescribing the effort as “calculated and persistent.”
“As relations between Russia and the West will almost certainly remain strained, Russia is very likely to increase the destructiveness and lethality of its sabotage operations without crossing the threshold of war with NATO, as discussed in Gerasimov doctrine. These physical attacks are likely to complement Russia’s cyber efforts and affect the scope of operations under Russia’s hybrid warfare doctrine.”
