Full Report
The malware-laced files include draft versions of diplomatic statements, correspondence letters, internal administrative notes and other documents. The post Fancy Bear spotted using real Kazak government documents in spearpishing campaign appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Fancy Bear (APT 28)
## Attribution & Identity
The threat actor is Fancy Bear, also known as APT 28. This group is linked to Russian intelligence and is believed to be affiliated with Moscow’s Main Intelligence Directorate (GRU). The observed activity is also connected to an intrusion set previously identified by the Ukrainian government in 2023.
## Activity Summary
The group is engaged in espionage campaigns targeting government officials in Central Asia. The recent activity, dubbed "Double-Tap" by Sekoia researchers, involves using seemingly legitimate documents sourced from the Kazakhstan government (including draft diplomatic statements, correspondence letters, and internal administrative notes spanning 2021-2024) as phishing lures. This campaign has reportedly ensnared dozens of victims across Central Asia, East Asia, and Europe since July 2024. This specific operation followed earlier attacks linked to a 2023 compromise of the Tajikistan Embassy in Ukraine, which led to follow-up targeting in Kazakhstan, Kyrgyzstan, Mongolia, Israel, and India.
## Tactics, Techniques & Procedures
- **Spearphishing:** Using legitimate-looking government documents as Lures.
- **Document Luring:** Malicious code embedded in document files (draft diplomatic statements, correspondence letters, internal administrative notes).
- **Execution Chain:** Utilizes a chain where one Word document opens another to execute malicious code (The "Double-Tap" campaign).
- **Macro Usage:** Execution relies on malicious macro files within Word documents.
- **Security Downgrade:** The initial execution chain downgrades the victim device’s security settings.
- **Persistence:** Deploys malware (HATVIBE) to the hard drive and sets up a clandestine program to run the malware every four minutes.
- **Malware Overlap:** Technical details overlap with tooling associated with the ZEBROCY backdoor, which was also attributed to Fancy Bear.
## Targeting
- **Sectors:** Government, Defense agencies, and Diplomatic entities.
- **Geography:** Central Asia (specifically Kazakhstan, Kyrgyzstan), East Asia, and Europe.
- **Victims:** Government officials in Central Asian nations. Specific mention of the Tajikistan Embassy in Ukraine being compromised in 2023.
## Tools & Infrastructure
- **Malware families used:**
- HATVIBE (identified as loading malware)
- CHERRYSPY
- ZEBROCY (backdoor used in similar past campaigns)
- **Infrastructure (C2, domains, IPs - defang URLs):**
- Not explicitly detailed in the provided text, only that HATVIBE calls out to its C2 infrastructure.
## Implications
Fancy Bear continues its strategic objectives of state-sponsored espionage, demonstrating a sophisticated ability to mimic real-world geopolitical communication by leveraging authentic-looking government artifacts from Kazakhstan. The use of document chains and established malware further indicates the group's persistent access to specific targets in Central Asia and allied nation infrastructure.
## Mitigations
- Users, especially in government and diplomatic roles, should exercise extreme caution regarding unsolicited documents, even if they appear to originate from legitimate government sources.
- Organizations should strictly enforce policies limiting or disabling macro execution in Microsoft Office applications, especially for files received externally.
- Monitor systems for persistence mechanisms involving scheduled processes or clandestine programs that execute at regular intervals (e.g., every four minutes, as observed with HATVIBE persistence).