Hackers with likely Kremlin ties target Kazakhstan in espionage campaign

Hackers potentially linked to the Kremlin-backed threat actor APT28 have been spying on diplomatic entities in Central Asia to gather economic and political intelligence in the region, researchers have found.

The group, tracked as UAC-0063, has been active since at least 2021 and has previously targeted diplomatic, nonprofit, academic, energy and defense entities in Ukraine, Israel, India, and multiple Central Asian countries, including Kazakhstan, Kyrgyzstan, and Tajikistan.

In an analysis of attacks on Ukrainian scientific and research institutions in July, Ukraine’s Computer Emergency Response Team (CERT-UA) linked UAC-0063 with “medium confidence” to APT28, also known as Fancy Bear or BlueDelta, which is tied to Russia’s military intelligence agency (GRU).

In the ongoing cyber-espionage campaign discovered by cybersecurity firm Sekoia and described in a report on Monday, the hackers used legitimate documents — such as correspondence letters, draft documents, or internal administrative notes — that likely originated from Kazakhstan’s Ministry of Foreign Affairs to deliver malware to their victims.

How they procured these documents is unknown but the researchers said may have been exfiltrated in an earlier cyber operation, obtained through open-source collection, or acquired via a physical operation.

Sekoia identified nearly two dozen such documents, dated from 2021 to October 2024. Most of them concerned diplomatic cooperation and economic issues between Kazakhstan and other countries.

The malicious files contained two known malware strains, Cherryspy and Hatvibe, both previously used in cyber-espionage campaigns targeting Asia and Ukraine. The Cherryspy backdoor allows attackers to execute Python code received from a command-and-control server, while Hatvibe can download and execute additional files on infected devices.

Although the group used familiar tools in this campaign, the infection chain was “quite unique,” researchers said, emphasizing its focus on bypassing security solutions.

Researchers suggested the campaign is part of a larger global cyber-espionage operation targeting Central Asian countries, particularly Kazakhstan’s foreign relations.

“The objective of this partially uncovered campaign is likely to gather strategic and economic intelligence on Kazakhstan’s relations with Western and Central Asian countries, aiming to preserve Russia’s influence in a region historically within its sphere of control,” they said.