Introduction

Since 2021, a Russian-aligned cyber-espionage group known as TAG-110 has been actively targeting various sectors across Central Asia, East Asia [1], and Europe [1] [3]. Their operations have intensified, particularly since July 2024, affecting numerous organizations and highlighting the group’s strategic objectives aligned with Russian geopolitical interests.

Description

A Russian-aligned cyber-espionage group known as TAG-110 has been conducting sophisticated campaigns since 2021 [3], targeting government entities [1], human rights organizations [3], and educational institutions across Central Asia [1], East Asia [1], and Europe [1] [3]. The group’s activities have significantly escalated since July 2024, impacting 62 unique victims across eleven countries [3], with notable targets including the National Center for Human Rights of Uzbekistan and KMG-Security [3], a subsidiary of KazMunayGas [3].

TAG-110 employs custom malware tools, specifically the HatVibe loader and the CherrySpy backdoor [2], to infiltrate systems. The group primarily exploits vulnerabilities in public-facing web applications [3], such as the Rejetto HTTP File Server [3], and utilizes phishing emails to deliver the HatVibe malware [3]. Once installed, HatVibe functions as an HTML application loader that deploys CherrySpy [3], a Python-based backdoor designed to ensure persistence, monitor activity [3], and exfiltrate sensitive data to the group’s command-and-control servers [3].

The operations of TAG-110 align with Russian geopolitical objectives, particularly in influencing post-Soviet states and destabilizing NATO-aligned nations [1]. This calculated strategy aims to disrupt support for Ukraine amid ongoing military efforts. To defend against these persistent threats [3], organizations are advised to implement intrusion detection systems (IDS IPS) [1], monitor for indicators of compromise (IoCs) [1] [3], and ensure timely patching of vulnerabilities [1], including CVE-2024-23692. Additionally, deploying robust endpoint detection and response (EDR) solutions [1], enforcing multi-factor authentication (MFA) [1], and providing phishing awareness training are recommended. Sharing IoCs with regional cybersecurity agencies can further enhance collective defenses against TAG-110’s ongoing and strategic attacks [1]. The implications of TAG-110’s operations extend beyond national security [3], affecting the broader geopolitical landscape and underscoring the need for international cooperation in combating state-sponsored cyber espionage [3].

Conclusion

The activities of TAG-110 underscore the significant threat posed by state-sponsored cyber espionage, with impacts extending beyond immediate national security concerns to broader geopolitical stability. Effective mitigation strategies, including advanced cybersecurity measures and international collaboration, are essential to counteract these threats. As TAG-110 continues its operations, the importance of vigilance and proactive defense mechanisms cannot be overstated, highlighting the need for ongoing adaptation and cooperation in the global cybersecurity landscape.

References

[1] https://www.sisainfosec.com/weekly-threat-watch/helldown-ransomware-exploits-zyxel-vpn-flaw-to-target-corporate-networks/
[2] https://www.cybersecurityintelligence.com/blog/russian-state-sponsored-hacking-extends-worldwide-8095.html
[3] https://thesecmaster.com/blog/cyber-espionage-unveiled-russia-aligned-tag-110-targets-asia-and-europe