cyberscoop.com
Open in
urlscan Pro
18.66.112.24
Public Scan
URL:
https://cyberscoop.com/fancy-bear-kazakhstan-russia-sekoia/
Submission: On January 14 via api from TR — Scanned from DE
Submission: On January 14 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
GET https://cyberscoop.com/
<form role="search" id="searchform" class="site-search" method="get" action="https://cyberscoop.com/">
<meta itemprop="target" content="https://cyberscoop.com/?s={s}">
<label class="screen-reader-text" for="search-field"> Search for: </label>
<input class="site-search__input js-site-search-input" itemprop="query-input" type="text" id="search-field" value="" placeholder="Search news, people, podcasts, videos" name="s">
<button class="site-search__button">
<svg class="icon icon--search" width="19" height="19" fill="none" viewBox="0 0 19 19" xmlns="http://www.w3.org/2000/svg">
<path
d="M7.9.7a6.805 6.805 0 0 0-6.8 6.8c0 3.752 3.048 6.8 6.8 6.8a6.757 6.757 0 0 0 3.975-1.288l5.262 5.25 1.125-1.125-5.2-5.212A6.77 6.77 0 0 0 14.7 7.5c0-3.752-3.048-6.8-6.8-6.8Zm0 .8c3.319 0 6 2.681 6 6s-2.681 6-6 6-6-2.681-6-6 2.681-6 6-6Z"
fill="currentColor" stroke="currentColor"></path>
</svg>
<span class="visually-hidden">Search</span>
</button>
</form>Text Content
Skip to main content
Advertisement
* CyberScoop
* AIScoop
* FedScoop
* DefenseScoop
* StateScoop
* EdScoop
Advertise Search Close
Search for: Search
Open navigation
* Topics
Back
* AI
* Cybercrime
* Commentary
* Financial
* Government
* Policy
* Privacy
* Technology
* Threats
* Research
* Workforce
* Special Reports
* Events
* Podcasts
* Videos
* Insights
* CyberScoop 50 Nominations
Switch Site
* CyberScoop
* AIScoop
* FedScoop
* DefenseScoop
* StateScoop
* EdScoop
Subscribe
Advertisement
Nominations can be submitted for the 2025 CyberScoop 50 awards!
Click here!
Close
* Threats
FANCY BEAR SPOTTED USING REAL KAZAK GOVERNMENT DOCUMENTS IN SPEARPISHING
CAMPAIGN
The malware-laced files include draft versions of diplomatic statements,
correspondence letters, internal administrative notes and other documents.
By Derek B. Johnson
January 13, 2025
Listen to this article
4:44
Learn more. This feature uses an automated voice, which may result in occasional
errors in pronunciation, tone, or sentiment.
(Getty Images)
A hacking group linked to Russian intelligence has been observed leveraging
seemingly legitimate documents from the Kazakhstan government as phishing lures
to infect and spy on government officials in Central Asia, according to
researchers at Sekoia.
The files, laced with malware, include draft versions of diplomatic statements,
correspondence letters, internal administrative notes and other documents
attributed to the Kazakhstan government between 2021 and 2024. In many cases
they appear to match real documents or statements put out by Kazakhstan’s
Ministry of Foreign Affairs.
The activity is linked to an intrusion set previously identified by the
Ukrainian government in 2023, and one that has been attributed by Ukraine’s
CERT and by private threat intelligence firm Recorded Future to APT 28. That
group, also known as Fancy Bear, is known to use cyber operations to spy on
governments on behalf of the Russian government and is believed to be linked to
Moscow’s Main Intelligence Directorate (GRU).
According to previous research from Recorded Future, the same campaign has
ensnared dozens of victims across Central Asia, East Asia and Europe since July
2024, and includes the use of two pieces of malware — dubbed HATVIBE and
CHERRYSPY — that were previously attributed to Russian cyber espionage
campaigns. Ukrainian officials have linked the malware to a 2023 compromise of
the official email account for the Tajikistan Embassy in Ukraine that was used
in follow up attacks targeting entities in Kazakhstan, Kyrgyzstan, Mongolia,
Israel, and India.
Advertisement
“Although the infection chain was already partially documented, the ten
documents identified by Sekoia exhibit a previously unknown malicious code,
while retaining a similar execution structure,” Sekoia researchers Amaury G.,
Maxime Arandel, Erwan Chevalier and Felix Aimé wrote.
When opened, the documents execute a chain of malicious macro files in Word that
downgrades the victim device’s security settings, saves variables for the
HATVIBE on their hard drive and launches a clandestine program designed to run
the malware every four minutes.
Because the chain uses one Word document to open another, the researchers have
named the ongoing campaign “Double-Tap.”
According to Sekoia, the technical details around HATVIBE and its known victim
set overlap with ZEBROCY, another backdoor that was used in a similar
espionage-minded campaign against Central Asian governments, defense agencies
and diplomatic entities. ZEBROCY was also attributed to Fancy Bear by Russian
cybersecurity firm Kaspersky. Sekoia researchers assessed with medium confidence
that the activity they were tracking was also tied to the Russian GRU and Fancy
Bear.
Advertisement
HATVIBE operates as loading malware, calling out to various command and control
servers to fetch and execute CHERRYSPY, another piece of malware meant to
provide persistent, clandestine backdoor access to the victim’s device.
It’s not clear how APT 28 initially obtained the Kazak government files used in
the spearphishing attacks. Sekoia researchers suggest that Kazakhstan and its
neighboring Central Asian governments were likely primary targets of the
campaign, noting that Kazakhstan’s government has drifted away from Russia’s
orbit of influence in recent years on issues like the war in Ukraine.
“Those documents may have been exfiltrated through a cyber operation conducted
earlier by the same intrusion set, within the same campaign. Yet, we do not have
technical evidence to confirm this possibility,” Sekoia researchers wrote. “The
documents may have also been obtained by another intrusion set through cyber
operation, open source collection or by a physical operation (stolen laptop by
intelligence agents), and then handed to the operators of this campaign to be
weaponized.”
Other recent developments, like Kazakhstan’s emerging role as a key trade
partner between China and Europe, and the international competition to build its
first nuclear power plant, make it a prime target for cyber espionage. .
“Ultimately, Russia’s objectives are to ensure Kazakhstan remains politically
aligned, to counter the influence of competing powers, and to secure its own
economic and strategic foothold in the region,” the researchers wrote.
Advertisement
For more information on this campaign, including indicators of compromise and
detection rules, read the blog on Sekoia’s website.
WRITTEN BY DEREK B. JOHNSON
Derek B. Johnson is a reporter at CyberScoop, where his beat includes
cybersecurity, elections and the federal government. Prior to that, he has
provided award-winning coverage of cybersecurity news across the public and
private sectors for various publications since 2017. Derek has a bachelor’s
degree in print journalism from Hofstra University in New York and a master’s
degree in public policy from George Mason University in Virginia.
IN THIS STORY
* APT28
* Fancy Bear
* GRU
* Kazakhstan
* Russia
* Sekoia
Share
* Facebook
* LinkedIn
* Twitter
* Copy Link
Advertisement
Advertisement
MORE LIKE THIS
1. RUSSIAN NATIONALS CHARGED WITH OPERATING CRYPTO MIXERS THAT MASKED
CYBERCRIME FUNDS
By Matt Bracken
2. INDUSTRIAL NETWORKING MANUFACTURER MOXA REPORTS ‘CRITICAL’ ROUTER BUGS
By Derek B. Johnson
3. US SANCTIONS RUSSIAN, IRANIAN GROUPS FOR ELECTION INTERFERENCE
By Derek B. Johnson
Advertisement
TOP STORIES
1. BIDEN ADMINISTRATION UNVEILS EXPORT CONTROLS ON AI MODELS, CHIPS
By Matt Bracken
2. TRUMP AND OTHERS WANT TO RAMP UP CYBER OFFENSE, BUT THERE’S PLENTY OF DOUBT
ABOUT THE IDEA
By Tim Starks Mark Pomerleau
Advertisement
MORE SCOOPS
Microsoft CEO Satya Nadella (R) greets OpenAI CEO Sam Altman during the OpenAI
DevDay event on November 06, 2023 in San Francisco, California. (Photo by Justin
Sullivan/Getty Images)
STATE-BACKED HACKERS ARE EXPERIMENTING WITH OPENAI MODELS
Microsoft and OpenAI say hackers from China, Iran, North Korea and Russia are
exploring the use of large language models in their operations.
By Elias Groll
Ukrainian security forces stand guard with shell-damaged buildings in the
background in the northwestern Kyiv suburb of Borodyanka, Ukraine, on April 21,
2022. (Photo by Scott Peterson/Getty Images)
MULTIPLE GOVERNMENT HACKING GROUPS STAY BUSY TARGETING UKRAINE AND THE REGION,
GOOGLE RESEARCHERS SAY
A man enters the Russian Foreign Ministry headquarters in Moscow on April 19,
2021. (Photo by NATALIA KOLESNIKOVA/AFP via Getty Images)
MICROSOFT SEIZES INTERNET DOMAINS LINKED TO GRU CYBERATTACKS AGAINST UKRAINE
By Joe Warminsky
AGAINST BACKDROP OF RUSSIAN-UKRAINE WAR, RESEARCHERS WITNESS FLURRY OF
NATION-ALIGNED HACKING
A NEW GROUP OF CYBER MERCENARIES TARGETS BUSINESSES, JOURNALISTS — INCLUDING
SOME IN RUSSIA
By Tonya Riley
U.S. GOVERNMENT ACCUSES RUSSIAN COMPANIES OF RECRUITING SPIES, HACKING FOR
MOSCOW
By Shannon Vavra
WHEN FANCY BEAR ISN’T SO FANCY: APT GROUP’S ‘CRUDE’ METHODS CONTINUE TO WORK
By Sean Lyngaas
LATEST PODCASTS
EMILY CROSE ON THE GOVERNMENT’S LONG HISTORY WITH HACKERS
PHIL VENABLES ON THE STATE OF THE CISO
VIK PHATAK ON THE INHERENT ISSUES IN NATIVE CLOUD FIREWALLS
ADDRESSING VULNERABILITIES POSED BY UNMANAGED DEVICES WITHIN THE NETWORK
GOVERNMENT
* FCC moves to tighten industry reporting rules for robocalls
* National Cyber Director Harry Coker looks back (and ahead) on the Cyber
Director office
* Exit interview: FCC’s Jessica Rosenworcel discusses her legacy on
cybersecurity, AI and regulation
* Treasury workstations hacked by China-linked threat actors
TECHNOLOGY
* Microsoft moves to disrupt hacking-as-a-service scheme that’s bypassing AI
safety measures
* U.S. sanctions take aim at Chinese company said to aid hackers’ massive
botnet
* Thousands of industrial routers vulnerable to command injection flaw
* Senators, witnesses: $3B for ‘rip and replace’ a good start to preventing
Salt Typhoon-style breaches
THREATS
* After UN adoption, controversial cybercrime treaty’s next steps could prove
vital
* White House: Salt Typhoon hacks possible because telecoms lacked basic
security measures
* South Korea sanctions 15 North Koreans for IT worker scams, financial hacking
schemes
* Feds lay blame while Chinese telecom attack continues
GEOPOLITICS
* Chinese cyber center points finger at U.S. over alleged cyberattacks to steal
trade secrets
* Russia bans cybersecurity company Recorded Future
* PHP backdoor looks to be work of Chinese-linked APT group
* Amnesty International exposes Serbian police’s use of spyware on journalists,
activists
Advertisement
About Us
* FedScoop
* DefenseScoop
* StateScoop
* EdScoop
* CyberScoop
* AIScoop
* Newsletters
* Advertise with us
* Ad specs
* (202) 887-8001
* hello@cyberscoop.com
* FB
* TW
* LinkedIn
* IG
* YT
Close Ad
Continue to CyberScoop