Introduction

A cyber-espionage campaign associated with the Russia-aligned group UAC-0063 has been actively targeting diplomatic entities in Kazakhstan and Central Asia. This operation employs sophisticated tactics, including the use of weaponized Microsoft Word documents, to infiltrate systems and gather strategic intelligence, particularly in the context of Kazakhstan’s geopolitical dynamics post-Russia’s invasion of Ukraine.

Description

A cyber-espionage campaign linked to the Russia-aligned intrusion set UAC-0063 has been targeting diplomatic entities in Kazakhstan and Central Asia [2]. This campaign has utilized weaponized Microsoft Word documents [1] [2], including legitimate diplomatic letters and internal correspondence from Kazakhstan’s Ministry of Foreign Affairs and Kyrgyzstan’s Ministry of Defense [1], to deliver the HatVibe and CherrySpy malware [1] [2]. The primary objective is to collect strategic intelligence on Kazakhstan’s diplomatic and economic relations [1] [2], particularly in light of the country’s evolving geopolitical stance and balanced engagement with both Western and Asian powers since Russia’s invasion of Ukraine.

The infection chain [1] [2], identified as “Double-Tap,” begins with a malicious document that executes a macro designed to compromise the host system [1], ultimately deploying the HatVibe malware [2]. HatVibe functions as a VBS backdoor, retrieving and executing additional modules from a remote command-and-control (C2) server [1] [2], while CherrySpy serves as a more complex Python backdoor for further intelligence gathering [1] [2]. The campaign has been active since July 2024 and has targeted numerous victims across Central Asia, East Asia [3], and Europe [3].

Compromised documents date from 2021 to October 2024 and were likely weaponized after being exfiltrated during prior operations [2], including a previous compromise of the Tajikistan Embassy’s email account in Ukraine [3]. The attack methodology shares similarities with campaigns conducted by APT28 [2], also known as Fancy Bear, a Russian state-sponsored group linked to the GRU [2], which is known for targeting diplomatic [2], defense [1] [2], and scientific sectors across Europe and Asia [2]. Researchers have noted overlaps in tactics and infrastructure between UAC-0063 and APT28 [1], as well as technical similarities between HatVibe and ZEBROCY, another backdoor attributed to Fancy Bear [3].

Detection opportunities for this campaign include monitoring registry modifications that allow macros to run without user consent and tracking the use of mshta.exe for scheduled task execution [2]. YARA and Sigma detection rules have been provided to help organizations identify these threats [2]. Kazakhstan’s emerging role as a trade partner between China and Europe [3], along with its strategic diplomatic positioning, makes it a significant target for cyber espionage [3], as these operations aim to maintain Russian influence in the region and counter competing powers [3].

Conclusion

The ongoing cyber-espionage campaign by UAC-0063 underscores the persistent threat posed by state-sponsored actors in the realm of international diplomacy and security. The use of advanced malware like HatVibe and CherrySpy highlights the need for robust cybersecurity measures and vigilant monitoring to detect and mitigate such threats. As Kazakhstan continues to navigate its strategic position between major global powers, it remains a focal point for cyber-espionage activities, necessitating enhanced cooperation and information sharing among affected nations to safeguard their diplomatic and economic interests.

References

[1] https://osintcorp.net/russian-malware-campaign-hits-central-asian-diplomatic-files/
[2] https://www.infosecurity-magazine.com/news/russian-malware-campaign-hits/
[3] https://cyberscoop.com/fancy-bear-kazakhstan-russia-sekoia/