A suspected Russia-linked cyber threat actor has been reportedly carrying out sophisticated spear phishing attacks targeting diplomatic entities in Kazakhstan. This threat actor, known as UAC-0063, has been active since at least 2021 and was initially brought to light by Ukraine’s Computer Emergency Response Team (CERT-UA) in 2023. With medium confidence, CERT-UA has linked UAC-0063 to APT28, also known as Fancy Bear, Forest Blizzard, Strontium, or Sofacy, which operates under the General Staff Main Intelligence Directorate (GRU) Military Unit 26165. APT28 is infamous for its high-profile cyberattacks against Western governments, notably the Democratic National Committee hack during the 2016 U.S. presidential election and campaigns against parliamentary bodies in Germany, Norway, the Netherlands, and others.
The activities of UAC-0063 seem to focus on gathering intelligence from various entities including government organizations, NGOs, academic institutions, and energy and defense establishments in Eastern Europe, particularly Ukraine, and Central Asia, which includes countries like Kazakhstan, Kyrgyzstan, Tajikistan, as well as nearby nations like Israel and India.
Recently, a new wave of spear phishing attacks orchestrated by UAC-0063 surfaced, as detailed in a blog post by researchers from Sekoia. This ongoing campaign, dating back to at least 2022, appears to be part of a broader strategy by the Russian government, under President Vladimir Putin, to gain strategic insights and possibly an advantage over Kazakhstan, a former Soviet republic that has been expanding its diplomatic engagements in recent years.
The phishing attacks launched by UAC-0063 involved the distribution of convincing diplomatic documents designed to lure unsuspecting victims into enabling macros, which in turn triggered a series of malicious commands that could compromise their devices. The attackers used a backdoor named “HatVibe” to establish remote access to compromised systems. Although the specific payloads related to this campaign remain undisclosed, previous observations by CERT-UA suggest the potential use of a more sophisticated Python backdoor named “CherrySpy.”
The timing of these cyber operations coincided with Russian President Putin’s high-profile state visit to Kazakhstan on November 27, where discussions focused on strengthening economic ties, particularly in the energy sector, and signing agreements related to energy, education, and transportation. Analysts view Central Asia, and Kazakhstan in particular, as a key region for Russian influence, especially considering the country’s strategic position as a bridge between China and Europe amidst the ongoing conflict between Russia and Ukraine.
The cyber campaign orchestrated by UAC-0063 underscores Russia’s broader geopolitical interests in Central Asia, with Kazakhstan being a focal point of its strategic initiatives. Several legitimate diplomatic documents from Kazakhstan’s Ministry of Foreign Affairs were used as bait in the phishing attacks, reflecting the interest of Russian intelligence in understanding the diplomatic relations and strategic interests of Kazakhstan with other nations.
The cyber espionage activities targeting Kazakhstan’s diplomatic engagements with European states align closely with Russia’s efforts to gather intelligence on the strategic dynamics in the region. As Kazakhstan navigates its diplomatic relationships amid complex geopolitical challenges, the cyber threat posed by UAC-0063 serves as a reminder of the evolving nature of cybersecurity threats in the digital age.