Kazakhstan to audit foreign ministry after suspected Russia-linked cyberattack

Kazakhstan will audit its Foreign Ministry following a major cyberattack that researchers suspect may be linked to Kremlin-backed hackers, according to local media.

The Kazakh Digital Ministry responded to the attack after the release of a report detailing a cyberespionage campaign targeting diplomatic entities in Central Asia, including Kazakhstan. The hacker group behind this operation — tracked as UAC-0063 — is potentially linked to the Russian state-sponsored threat actor APT28, also known as Fancy Bear or BlueDelta.

Kazakh officials told the news outlet Orda they have been aware since the second half of 2023 of a cyberattack targeting the foreign ministry using the CherrySpy and Hatvibe malware strains.

Authorities decided to conduct an audit of the ministry only after French cybersecurity firm Sekoia published a report on the incident last month. Based on the audit’s findings, Kazakhstan’s cybersecurity officials will take further action, the digital ministry said.

When asked whether Russian hackers were responsible, as alleged by Sekoia and other researchers, the ministry told media “it was too early to say.” Previously, Kazakhstan’s national security agency stated it had no information on Russian-backed cyberattacks against the country’s state systems.

Hackers from UAC-0063 have been active since at least 2021 and have previously targeted diplomatic, nonprofit, academic, energy, and defense entities in Ukraine, Israel, India and multiple Central Asian countries, including Kazakhstan, Kyrgyzstan and Tajikistan.

In its latest campaign, discovered by Sekoia, the hackers used legitimate documents — such as correspondence, draft documents, or internal administrative notes — that likely originated from the Kazakhstan Foreign Ministry to deliver malware to victims.

It is unclear how the hackers obtained these documents. Researchers suggested they may have been exfiltrated in an earlier cyber operation, collected from open sources, or acquired through physical means.

Sekoia identified nearly two dozen such documents, dated from 2021 to October 2024. Most concerned diplomatic cooperation and economic issues between Kazakhstan and other countries.

The malicious files contained two known malware strains, CherrySpy and Hatvibe, both previously used in cyberespionage campaigns targeting Asia and Ukraine. The CherrySpy backdoor allows attackers to execute Python code received from a command-and-control server, while Hatvibe enables them to download and execute additional files on infected devices.

Researchers suggested this campaign is part of a broader global cyberespionage operation targeting Central Asian countries likely aimed at gathering strategic and economic intelligence on Kazakhstan’s ties with Western and Central Asian nations.

Earlier in January, Indian cybersecurity firm Seqrite published a report on a separate cyberespionage campaign targeting Central Asia attributed to a previously unidentified threat actor which they dubbed Silent Lynx.

Silent Lynx has previously targeted Eastern European and Central Asian government think-tanks involved in economic decision-making and the banking sector. According to researchers, the group shares similarities and overlaps with a Kazakhstan-based threat actor known as YoroTrooper, which first emerged in 2022 and focuses on cyberespionage.