December 2, 2023

Hackers believed to be primarily based in Kazakhstan are focusing on different members of the Commonwealth of Impartial States in a wide-ranging espionage marketing campaign, in accordance with new analysis.

Cisco’s Talos group has spent months monitoring YoroTrooper — a hacking group targeted on espionage that first emerged in June 2022. Researchers mentioned the group’s targets, use of Kazakh forex, and fluency in Kazakh and Russian is a part of what led them to consider the hackers are primarily based in Kazakhstan.

YoroTrooper seems to have carried out defensive actions in defending the Kazakhstani state-owned e-mail service and have solely ever attacked the Kazakh authorities’s Anti-Corruption Company.

Asheer Malhotra, a Cisco Talos risk researcher, advised Recorded Future Information that the group has actively tried to disguise its operations to make it look like the assaults are coming from Azerbaijan in an try and “generate false flags and mislead attribution.”

“When it comes to their modus operandi, their techniques and instruments aren’t very subtle, nonetheless YoroTrooper has nonetheless loved a considerable quantity of success compromising targets in CIS [Commonwealth of Independent States] international locations over the previous two years, owing to their aggressive makes an attempt to focus on their victims. Additional, the risk actor reveals no indicators of slowing down despite Cisco Talos’ preliminary disclosure detailing YoroTrooper’s actions earlier this yr,” Malhotra mentioned.

Cisco Talos tracked assaults involving establishments and officers in Azerbaijan, Tajikistan, Kyrgyzstan, Uzbekistan, utilizing VPN providers to make it seem like their hacks come from Azerbaijan.

The hackers compromised a number of state-owned web sites and accounts belonging to authorities officers between Might 2023 and August 2023.

A lot of the assaults begin with phishing emails and deploy custom-made malware that enables the group to steal knowledge and credentials.

International locations attacked by YoroTrooper. Picture: Cisco Talos

Researchers discovered the hackers utilizing Russian of their makes an attempt to debug their instruments whereas additionally visiting quite a few web sites written in Kazakh. In June the hackers started utilizing Uzbek of their code, one other language spoken broadly in Kazakhstan.

The hackers use cryptocurrency to pay for working infrastructure like domains and servers whereas additionally checking “for forex conversion charges between Kazakhstani Tenge (KZT), Kazakhstan’s official forex and Bitcoin (BTC) on Google.”

The group additionally conducts safety scans for mail[.]kz, the Kazakhstani state-owned e-mail service, and screens the platform for potential safety vulnerabilities. Whereas a lot of the exercise is routed by Azerbaijan, Cisco Talos discovered proof displaying the hackers don’t converse the Azerbaijani language —they repeatedly go to translation websites and examine translations from Azerbaijani to Russian.

Cisco Talos famous that since their March 2023 report on YoroTrooper — which detailed the group’s assaults on a European Union healthcare company, the World Mental Property Group and a number of other CIS international locations —- they’ve vastly expanded their instruments and techniques.

The group makes use of new, custom-made implants and deserted different malware strains it beforehand used.

“YoroTrooper’s focusing on of presidency entities in these international locations could point out the operators are motivated by Kazakh state pursuits or working underneath the course of the Kazakh authorities,” the researchers mentioned.

The group makes use of vulnerability scanners and open-source knowledge from search engines like google and yahoo equivalent to Shodan to seek out vulnerabilities of their goal’s infrastructure. They used these instruments to compromise three state-owned Tajiki and Kyrgyzstani web sites and hosted malware payloads on them this summer time, with some malware nonetheless being hosted as of September 2023.

The compromises included the web sites of Tajikistan’s Chamber of Commerce, the nation’s Drug Management Company and Kyrgyzstan’s state-owned coal enterprise. An official from Kyrgyzstan’s Ministry of Transport and Roads was additionally focused alongside different authorities staff throughout the Uzbek Ministry of Vitality.

Cisco Talos additionally noticed the group alter its techniques in gentle of their March report on hacking campaigns that allowed them to steal credentials, browser histories, system data and screenshots.

Malhotra mentioned that whereas it’s not frequent to see CIS international locations hack one another, cybersecurity researchers have seen a latest uptick in cyberattacks in that area of the world.

“Contemplating their proximity to Europe, Central Asia, Russia and China, it will appear pure for CIS international locations to develop intelligence capabilities pushed by actions in our on-line world to assist their political, financial and army developments,” Malhotra defined.

Get extra insights with the

Recorded Future

Intelligence Cloud.

Study extra.

No earlier article

No new articles

Jonathan Greig

Jonathan Greig is a Breaking Information Reporter at Recorded Future Information. Jonathan has labored throughout the globe as a journalist since 2014. Earlier than shifting again to New York Metropolis, he labored for information shops in South Africa, Jordan and Cambodia. He beforehand lined cybersecurity at ZDNet and TechRepublic.