KazMunayGas
A flag bearing the KazMunayGas logo. Image: kmg.kz

Kazakh oil giant denies cyberattack, says incident was 'planned' phishing drill

Kazakhstan’s state oil company has dismissed claims by Indian cybersecurity firm Seqrite that it was the target of a new Russian-linked hacking group, saying the incident was in fact an internal phishing drill.

Seqrite Labs last week published research on what it called a newly identified group, NoisyBear, which it said had been active since April and focused on Central Asia’s energy sector. The company said NoisyBear compromised a KazMunayGas finance employee’s mailbox in May and used it to send phishing emails disguised as corporate policy updates, salary adjustments and IT department notices. The messages carried malicious archive files designed to install further payloads.

Seqrite attributed the activity to Russia, citing the attackers’ use of the Russian language and infrastructure hosted by sanctioned provider Aeza Group, as well as similarities with previous campaigns linked to Moscow-based actors. Aeza was sanctioned by the U.S. Treasury in July for allegedly supporting ransomware operators and online narcotics markets.

But KazMunayGas rejected Seqrite’s conclusions. In comments to Kazakh outlet Orda, the company said the incident was a scheduled simulation.

“In May 2025, KMG organized and carried out a planned internal exercise to test, assess, and improve employees’ awareness of information security,” the company said. It added that some of its employees were notified in advance, and the campaign was used to provide recommendations to staff.

Evidence in Seqrite’s own report appeared to support that claim: One screenshot of the phishing campaign showed test accounts among the recipients, such as addresses formatted as “test@kmg[.]kz., noted Russian cybersecurity expert Oleg Shakirov. Seqrite has not responded to Recorded Future News request for comments.

This is not the first case where an external security report has clashed with a company’s own account. In May, U.S. cloud storage firm Snowflake pushed back against allegations by cybersecurity company Hudson Rock that attackers had breached its systems in a high-profile incident tied to Ticketmaster and Santander Bank. Snowflake said no customer data was exposed, and the account cited by Hudson Rock belonged to a former employee’s demo environment.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
Recorded Future
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.