Full Report
Threat actors with ties to Russia have been linked to a cyber espionage campaign aimed at organizations in Central Asia, East Asia, and Europe. Recorded Future's Insikt Group, which has assigned the activity cluster the name TAG-110, said it overlaps with a threat group tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0063, which, in turn, overlaps with APT28. The
Analysis Summary
# Main Topic
A cyber espionage campaign attributed to Russian-aligned threat actors, tracked as TAG-110 by Recorded Future's Insikt Group, targeting government entities, human rights groups, and educational institutions across Central Asia, East Asia, and Europe since at least 2021, primarily to gather intelligence supporting Russia's geopolitical objectives.
## Key Points
- The activity cluster TAG-110 overlaps with UAC-0063 (tracked by CERT-UA) and APT28.
- The campaign primarily focuses on Central Asian nations (Tajikistan, Kyrgyzstan, Kazakhstan, Turkmenistan, Uzbekistan), but victims have also been observed in Armenia, China, Hungary, India, Greece, and Ukraine.
- The threat actors utilize custom malware tools: HATVIBE (an HTML application loader) and CHERRYSPY (a Python backdoor).
- HATVIBE's function is to deploy the CHERRYSPY backdoor, which is used for data exfiltration and espionage.
- As of the reporting, 62 unique victims across eleven countries have been identified.
## Threat Actors
- **TAG-110:** Name assigned by Recorded Future's Insikt Group for this specific activity cluster.
- **UAC-0063:** Group tracked by the Computer Emergency Response Team of Ukraine (CERT-UA), which overlaps with TAG-110.
- **APT28:** The threat group that UAC-0063 itself overlaps with.
- **Attribution:** The actors are stated to have "ties to Russia."
- **Motivation:** Likely to gather intelligence informing Russia's geopolitical objectives in the region.
## TTPs
- **Initial Access:** Exploitation of known security flaws in public-facing web applications (e.g., Rejetto HTTP File Server) and spear-phishing emails.
- **Payload Deployment:** HATVIBE is used as a loader to install the CHERRYSPY Python backdoor.
- **Objective:** Data exfiltration and espionage via the CHERRYSPY backdoor.
## Affected Systems
- **Victim Sectors:** Government entities, human rights groups, and educational institutions.
- **Geographic Scope:** Primary focus on Central Asia (Tajikistan, Kyrgyzstan, Kazakhstan, Turkmenistan, Uzbekistan). Secondary victims noted in Armenia, China, Hungary, India, Greece, and Ukraine.
- **Specific Vulnerability Example:** Exploitation of flaws in Rejetto HTTP File Server noted as an access vector.
## Mitigations
*(Note: The provided context heavily emphasizes attribution and observed TTPs but does not list specific recommended external mitigations or patch information. Therefore, this section reflects the implied defensive posture based on the observed TTPs.)*
- Prioritize patching and securing public-facing web applications, specifically noting known vulnerabilities in products like Rejetto HTTP File Server.
- Enhance detection capabilities for custom HTML application loaders (like HATVIBE) and Python-based backdoors (like CHERRYSPY).
- Increase scrutiny and user awareness regarding phishing attempts targeting sensitive organizations.
## Conclusion
TAG-110 represents an ongoing, sophisticated Russian-aligned espionage effort actively targeting governmental and civil society sectors across Eurasia. The consistent use of HATVIBE and CHERRYSPY against entities in Central Asia suggests a dedicated, long-term intelligence gathering operation tied to Russian foreign policy interests. Organizations in the affected regions should urgently review their external attack surface and be highly vigilant against phishing and known web application vulnerabilities.