Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
Jan. 14, 2025, 8:46 a.m.
Description
A cyber espionage campaign targeting Central Asian countries, particularly Kazakhstan's external relations, has been uncovered. The campaign, attributed to the Russia-aligned intrusion set UAC-0063, uses a sophisticated infection chain called Double-Tap to deliver the HATVIBE and CHERRYSPY malware. The attackers weaponized legitimate documents from Kazakhstan's Ministry of Foreign Affairs, focusing on diplomatic and economic topics. This operation aims to gather strategic intelligence on Kazakhstan's relations with Western and Central Asian countries, likely to preserve Russia's influence in the region. Technical similarities with APT28-related Zebrocy campaigns suggest a possible connection to Russian intelligence services. The campaign highlights Russia's efforts to maintain its strategic foothold in Central Asia amidst Kazakhstan's growing ties with Western states and China.
Tags
Date
- Created: Jan. 13, 2025, 4:41 p.m.
- Published: Jan. 13, 2025, 4:41 p.m.
- Modified: Jan. 14, 2025, 8:46 a.m.
Indicators
- f3e225b2b45b18a68fc3b13670f4ada91512194b
- 937b30aef519c49dd523736c2af94489bab6d9f9
- 9ba2ec040d8181891b90bbe3b4833acce51b02fd
- d21f2469cacf40de30e62b372e9dd576bdbd95ac
- 56b8e530ea74a37d9c6bfbe41dea2952340a903b
- bbb678f7214580d290db3b6aeb1fab09df3d680a
- 2fa44b62209f7181ad91a06af294f13daa096b29
- apt_UAC0063_HATVIBE_loader_deobfuscated_VBA
- apt_UAC0063_HATVIBE_loader_obfuscated_VBA
- lookup.ink
- download-resourses.info
- background-services.net
Attack Patterns
- CHERRYSPY
- HATVIBE
- UAC-0063
- T1132.001
- T1053.005
- T1059.005
- T1547.001
- T1071.001
- T1204.002
- T1105
- T1036
- T1140
- T1027
- T1112
Additional Informations
- Government
- Turkmenistan
- Mongolia
- Afghanistan
- Kyrgyzstan
- Tajikistan
- Uzbekistan
- Belgium
- Germany
- Kazakhstan