Dozens of Central Asian targets hit in recent Russia-linked cyber-espionage campaign

Researchers have identified an ongoing Russia-linked cyber-espionage campaign targeting human rights groups, private security companies, and state and educational institutions in Central Asia, East Asia, and Europe using custom malware.

The attacks have been attributed to a threat actor tracked as TAG-110. According to a report by Recorded Future’s Insikt Group, this actor is likely linked to the Russian cyber-espionage group BlueDelta, also known as APT28 or Fancy Bear. The Record is an editorially independent unit of Recorded Future.

Since July of this year, Insikt Group has identified over 60 unique TAG-110 victims, primarily in Tajikistan, Kyrgyzstan, Turkmenistan, and Kazakhstan. They were infected with the group’s custom malware, including the Hatvibe loader and the Cherryspy backdoor. To deliver these tools to targeted systems, the group used malicious Microsoft Word email attachments and exploited vulnerable web-facing services, Insikt Group said. 

“Similar to other recent Russian state hacker campaigns affecting the region, the group is likely seeking to acquire intelligence to bolster Russia’s military efforts in Ukraine and gather insights into geopolitical events in neighboring countries, especially as Moscow’s relations with its neighbors have suffered following its invasion of Ukraine,” the researchers said.

APT28 is believed to act on the orders of Russia’s military intelligence agency (GRU) and is thought to be behind several major attacks on Ukraine and its allies in recent years. Last year, the group reportedly hacked Germany’s Social Democratic Party, and in May, it allegedly conducted a large-scale espionage campaign targeting Poland’s government institutions.

TAG-110 allegedly has been spying for the Russian state since at least 2021, primarily targeting entities in Central Asia, Insikt Group said. The group has also targeted victims in India, Israel, Mongolia and Ukraine. Researchers anticipate that TAG-110’s campaigns will persist in the near term, likely focusing on post-Soviet Central Asian states, Ukraine, and its allies.