Russian-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware
Summary:
On Wednesday, 27 November 2024, Russian President Putin was on a 2-day state visit in Kazakhstan to discuss with local representatives the implementation of energy projects and to counter Chinese and Western influence. Putin said he was visiting his “true ally”, yet Sekoia investigated an ongoing cyber espionage campaign using legitimate Office documents assessed to originate from the Ministry of Foreign Affairs of the Republic of Kazakhstan, that were further weaponized and likely used to collect strategic intelligence in Central Asia, including Kazakhstan and its diplomatic and economic relations with Asian and Western countries. We assess it is possible that this campaign was conducted by a Russia-nexus intrusion set, UAC-0063, sharing overlaps with APT28.” (Sekoia TDR, 2025)
An ongoing cyber espionage campaign targeting Kazakhstan has been attributed to Russia-nexus threat actors and is inferred to be a part of the Kremlin's efforts to gather economic and political intelligence in Central Asia. The campaign has been aligned with the activity cluster, UAC-0063, an adversary that likely shares operational overlap with APT28, a nation-state APT group affiliated with Russia’s General Staff Main Intelligence Directorate (GRU). UAC-0063 activity was first observed by Ukraine’s Computer Emergency Response Team (CERT-UA) in early 2023 attacking government entities utilizing malware tracked as HATVIBE, CHERRYSPY, and STILLARCH. Subsequent campaigns have been observed setting their sights on organizations in Central Asia, East Asia, and Europe recorded under the name TAG-110. According to Sekoia, UAC-0063 targeting suggests a focus on intelligence collection in sectors such as government, including diplomacy, NGOs, academia, energy, and defense, with a geographic focus on Ukraine, Central Asia, and Eastern Europe. The latest set of attacks involves using legitimate Microsoft Office documents originating from the Ministry of Foreign Affairs of the Republic of Kazakhstan as spear-phishing lures to activate a multi-stage infection chain dubbed Double-Tap that drops the HATVIBE malware. HATVIBE is operating as a loader malware in this instance, receiving malicious Visual Basic script modules that ultimately deploy the sophisticated backdoor named CHERRYSPY.
Security Officer Comments:
The myriad of targets potentially indicates this is a global intelligence-gathering Russia-nexus threat actor campaign. The use of legitimate Microsoft Office documents indicates the threat actor’s intensive research and prior exfiltration of Kazakhstan government documents. The spear-phishing weaponized documents indicate a cyber espionage campaign designed to collect strategic intelligence on diplomatic relations between Central Asia states. The geopolitical tensions in Central Asia and Kazakhstan’s increasing value as a trade link between Europe and China underscores the valuable target for espionage that Kazakhstan is.
“In recent years, geopolitical shifts have increasingly driven Kazakhstan to distance itself from Russia and pursue closer economic and strategic ties with other powers, notably Western states and China. Since the Russian invasion of Ukraine in February 2022, Kazakhstan, the leading Central Asian power and former part of the Soviet Union, has maintained a balanced stance on the war in Ukraine by supporting Ukraine’s territorial integrity without openly condemning the Russian invasion.” (Sekoia TDR, 2025)
Suggested Corrections:
IOCs are available here.
Organizations can make APT groups’ lives more difficult. Here’s how:
https://thehackernews.com/2025/01/russian-linked-hackers-target.html
https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/
On Wednesday, 27 November 2024, Russian President Putin was on a 2-day state visit in Kazakhstan to discuss with local representatives the implementation of energy projects and to counter Chinese and Western influence. Putin said he was visiting his “true ally”, yet Sekoia investigated an ongoing cyber espionage campaign using legitimate Office documents assessed to originate from the Ministry of Foreign Affairs of the Republic of Kazakhstan, that were further weaponized and likely used to collect strategic intelligence in Central Asia, including Kazakhstan and its diplomatic and economic relations with Asian and Western countries. We assess it is possible that this campaign was conducted by a Russia-nexus intrusion set, UAC-0063, sharing overlaps with APT28.” (Sekoia TDR, 2025)
An ongoing cyber espionage campaign targeting Kazakhstan has been attributed to Russia-nexus threat actors and is inferred to be a part of the Kremlin's efforts to gather economic and political intelligence in Central Asia. The campaign has been aligned with the activity cluster, UAC-0063, an adversary that likely shares operational overlap with APT28, a nation-state APT group affiliated with Russia’s General Staff Main Intelligence Directorate (GRU). UAC-0063 activity was first observed by Ukraine’s Computer Emergency Response Team (CERT-UA) in early 2023 attacking government entities utilizing malware tracked as HATVIBE, CHERRYSPY, and STILLARCH. Subsequent campaigns have been observed setting their sights on organizations in Central Asia, East Asia, and Europe recorded under the name TAG-110. According to Sekoia, UAC-0063 targeting suggests a focus on intelligence collection in sectors such as government, including diplomacy, NGOs, academia, energy, and defense, with a geographic focus on Ukraine, Central Asia, and Eastern Europe. The latest set of attacks involves using legitimate Microsoft Office documents originating from the Ministry of Foreign Affairs of the Republic of Kazakhstan as spear-phishing lures to activate a multi-stage infection chain dubbed Double-Tap that drops the HATVIBE malware. HATVIBE is operating as a loader malware in this instance, receiving malicious Visual Basic script modules that ultimately deploy the sophisticated backdoor named CHERRYSPY.
Security Officer Comments:
The myriad of targets potentially indicates this is a global intelligence-gathering Russia-nexus threat actor campaign. The use of legitimate Microsoft Office documents indicates the threat actor’s intensive research and prior exfiltration of Kazakhstan government documents. The spear-phishing weaponized documents indicate a cyber espionage campaign designed to collect strategic intelligence on diplomatic relations between Central Asia states. The geopolitical tensions in Central Asia and Kazakhstan’s increasing value as a trade link between Europe and China underscores the valuable target for espionage that Kazakhstan is.
“In recent years, geopolitical shifts have increasingly driven Kazakhstan to distance itself from Russia and pursue closer economic and strategic ties with other powers, notably Western states and China. Since the Russian invasion of Ukraine in February 2022, Kazakhstan, the leading Central Asian power and former part of the Soviet Union, has maintained a balanced stance on the war in Ukraine by supporting Ukraine’s territorial integrity without openly condemning the Russian invasion.” (Sekoia TDR, 2025)
Suggested Corrections:
IOCs are available here.
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://thehackernews.com/2025/01/russian-linked-hackers-target.html
https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/