Russian-linked threat actors have been attributed to an ongoing cyberespionage campaign targeting Kazakhstan as part of the Kremlin’s efforts to gather economic and political intelligence in Central Asia.
The campaign was rated as the work of a duplicate set of intrusions UAC-0063which likely intersects with APT28, a nation-state group linked to the Main Intelligence Directorate (GRU) of the Russian General Staff. It is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy and TA422.
UAC-0063 bldg documented for the first time by the Ukraine Emergency Response Team (CERT-UA) in early 2023, detailing its attacks on government structures using malware families tracked as HATVIBE, CHERRYSPY, and STILLARCH (aka DownEx). It should be noted that the use of these malware strains was unique to this group.
The next hikes were is observed focusing on organizations in Central Asia, East Asia and Europe, reports Insikt Group Recorded Future, which named the activity cluster TAG-110.
“The focus of UAC-0063 is to focus on intelligence gathering in sectors such as government, including diplomacy, NGOs, academia, energy and defense, with a geographic focus on Ukraine, Central Asia and Eastern Europe,” the French company said in a statement. Sekoia Cyber Security. said in a new analysis.
The latest series of attacks involves using legitimate Microsoft Office documents originating from the Ministry of Foreign Affairs of the Republic of Kazakhstan as phishing lures to activate a multi-stage infection chain called Double-Tap that removes the HATVIBE malware. At this time it is not known how these documents were obtained, although it is possible that they were stolen during the previous campaign.
Specifically, the documents contain a malicious macro that, when run by victims, creates a second empty document in the location “C:\Users\(USER)\AppData\Local\Temp\”.
“This second document automatically opens in a hidden instance of Word using the original macro to delete and execute a malicious HTA (HTML Application) file that embeds a VBS (Visual Basic Script) backdoor nicknamed ‘HATVIBE,'” the Sekoia researchers said.
HATVIBE works as a loader, fetching next-stage VBS modules to execute from a remote server, ultimately paving the way for a sophisticated Python backdoor called CHERRYSPY. The HTA file containing HATVIBE is designed to run for four minutes when running mshta.exe.
“What makes this Double-Tap infection chain quite unique is that it uses many tricks to bypass security solutions, such as storing the actual malicious macro code in the settings.xml file and creating a scheduled task without creating a schtasks.exe for a second document or using for the first document an anti-emulation trick aimed at seeing if the runtime has been modified, otherwise the macro terminates,” the researchers said.
Sekoia said the sequence of the HATVIBE attack shows targeting and technical overlap with the APT28-related Zebras companieswhich allows us to attribute the UAC-0063 cluster to a Russian hacking group with moderate confidence.
“The theme of the documents with the use of phishing weapons indicates a cyberespionage campaign aimed at gathering strategic intelligence information about diplomatic relations between Central Asian states, especially the foreign relations of Kazakhstan, from Russian intelligence,” the company added.
The Russian SORM platform is sold in Central Asia and Latin America
The development comes after Recorded Future revealed that several countries in Central Asia and Latin America have acquired System of Operations and Reconnaissance (SORM) listening technology from at least eight Russian suppliers, such as Citadel, Norsi-Trans and Protei, potentially allowing Russian intelligence agencies to intercept communications.
Russia’s SORM is an electronic surveillance device capable of intercepting a wide range of Internet and telecommunications traffic by authorities without the knowledge of the service providers themselves. It allows you to monitor landline and mobile communications, as well as internet traffic, Wi-Fi and social networks, all of which can be stored in a searchable database.
It was estimated that the former Soviet territories of Belarus, Kazakhstan, Kyrgyzstan and Uzbekistan, as well as the Latin American countries of Cuba and Nicaragua, are most likely to have acquired the technology to eavesdrop on citizens.
“While these systems have legitimate security programs, governments (…) have a history of abusing surveillance capabilities, including repression against political opposition, journalists and activists, without effective or independent oversight,” Insikt Group said.
“More broadly, the export of Russian surveillance technology is likely to continue to offer Moscow opportunities to expand its influence, especially in areas it considers the traditional sphere of the ‘near abroad.’
