Kazakhstan-based hackers targeting gov’t websites in Central Asia, Cisco says

Hackers believed to be based in Kazakhstan are targeting other members of the Commonwealth of Independent States in a wide-ranging espionage campaign, according to new research.

Cisco’s Talos group has spent months tracking YoroTrooper — a hacking group focused on espionage that first emerged in June 2022. Researchers said the group’s targets, use of Kazakh currency, and fluency in Kazakh and Russian is part of what led them to believe the hackers are based in Kazakhstan.

YoroTrooper appears to have performed defensive actions in protecting the Kazakhstani state-owned email service and have only ever attacked the Kazakh government’s Anti-Corruption Agency.

Asheer Malhotra, a Cisco Talos threat researcher, told Recorded Future News that the group has actively tried to disguise its operations to make it seem like the attacks are coming from Azerbaijan in an attempt to “generate false flags and mislead attribution.”

“In terms of their modus operandi, their tactics and tools aren’t very sophisticated, however YoroTrooper has still enjoyed a substantial amount of success compromising targets in CIS [Commonwealth of Independent States] countries over the past two years, owing to their aggressive attempts to target their victims. Further, the threat actor shows no signs of slowing down in spite of Cisco Talos’ initial disclosure detailing YoroTrooper’s activities earlier this year,” Malhotra said.

Cisco Talos tracked attacks involving institutions and officials in Azerbaijan, Tajikistan, Kyrgyzstan, Uzbekistan, using VPN services to make it look like their hacks come from Azerbaijan.

The hackers compromised multiple state-owned websites and accounts belonging to government officials between May 2023 and August 2023.

Most of the attacks start with phishing emails and deploy custom-made malware that allows the group to steal data and credentials.

Researchers found the hackers using Russian in their attempts to debug their tools while also visiting numerous websites written in Kazakh. In June the hackers began using Uzbek in their code, another language spoken widely in Kazakhstan.

The hackers use cryptocurrency to pay for operating infrastructure like domains and servers while also checking “for currency conversion rates between Kazakhstani Tenge (KZT), Kazakhstan’s official currency and Bitcoin (BTC) on Google.”

The group also conducts security scans for mail[.]kz, the Kazakhstani state-owned email service, and monitors the platform for potential security vulnerabilities. While much of the activity is routed through Azerbaijan, Cisco Talos found evidence showing the hackers do not speak the Azerbaijani language —they regularly visit translation sites and check translations from Azerbaijani to Russian.

Cisco Talos noted that since their March 2023 report on YoroTrooper — which detailed the group’s attacks on a European Union healthcare agency, the World Intellectual Property Organization and several CIS countries —- they have vastly expanded their tools and tactics.

The group uses new, custom-made implants and abandoned other malware strains it previously used.

“YoroTrooper’s targeting of government entities in these countries may indicate the operators are motivated by Kazakh state interests or working under the direction of the Kazakh government,” the researchers said.

The group uses vulnerability scanners and open-source data from search engines such as Shodan to find vulnerabilities in their target’s infrastructure. They used these tools to compromise three state-owned Tajiki and Kyrgyzstani websites and hosted malware payloads on them this summer, with some malware still being hosted as of September 2023.

The compromises included the websites of Tajikistan’s Chamber of Commerce, the country’s Drug Control Agency and Kyrgyzstan's state-owned coal enterprise. An official from Kyrgyzstan's Ministry of Transport and Roads was also targeted alongside other government workers within the Uzbek Ministry of Energy.

Cisco Talos also saw the group adjust its tactics in light of their March report on hacking campaigns that allowed them to steal credentials, browser histories, system information and screenshots.

Malhotra said that while it is not common to see CIS countries hack each other, cybersecurity researchers have seen a recent uptick in cyberattacks in that region of the world.

“Considering their proximity to Europe, Central Asia, Russia and China, it would seem natural for CIS countries to develop intelligence capabilities driven by actions in cyberspace to support their political, economic and military advancements,” Malhotra explained.