Full Report
Russia-linked threat actors have been attributed to an ongoing cyber espionage campaign targeting Kazakhstan as part of the Kremlin's efforts to gather economic and political intelligence in Central Asia. The campaign has been assessed to be the work of an intrusion set dubbed UAC-0063, which likely shares overlap with APT28, a nation-state group affiliated with Russia's General Staff Main
Analysis Summary
# Threat Actor: UAC-0063
## Attribution & Identity
- **Identified as:** A Russia-linked cyber espionage intrusion set.
- **Attribution Confidence:** Medium confidence that the cluster is linked to the Russian hacking group APT28 (a nation-state group affiliated with Russia's General Staff Main Intelligence Directorate - GRU).
- **Known Aliases/Associations:** APT28, Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, TA422, TAG-110 (Recorded Future's designation).
## Activity Summary
UAC-0063 has been conducting cyber espionage campaigns, primarily focused on intelligence gathering in Central Asia, East Asia, and Europe. The group was first documented by CERT-UA in early 2023 attacking Ukrainian government entities. More recently, campaigns observed by Recorded Future targeted organizations in Central Asia. The latest observed activity involved spear-phishing attacks against organizations in Kazakhstan, specifically leveraging documents originating from the Ministry of Foreign Affairs of the Republic of Kazakhstan.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing using weaponized, legitimate-looking Microsoft Office documents (e.g., from the MFA of Kazakhstan).
- **Execution Chain (Double-Tap):**
1. Malicious macro in the initial document runs.
2. The macro creates a second, blank document in `C:\\Users\\[USER]\\AppData\\Local\\Temp\\`.
3. The second document is opened automatically in a hidden Word instance.
4. Drops and executes a malicious HTA (HTML Application) file embedding the HATVIBE backdoor via `mshta.exe` (designed to run for four minutes).
- **Evasion/Defense Evasion:**
- Storing the real malicious macro code within the `settings.xml` file of the document.
- Creating a scheduled task without spawning `schtasks.exe`.
- Employing an anti-emulation trick in the first document executed to stop execution if the time altered (suggesting anti-sandbox/anti-analysis checks).
- **Payload Delivery:** HATVIBE acts as a loader, receiving next-stage VBS modules for execution from a remote server, ultimately deploying the sophisticated CHERRYSPY Python backdoor.
- **Known Malware Families Used (Exclusive to this group):** HATVIBE, CHERRYSPY, STILLARCH (aka DownEx).
## Targeting
- **Sectors:** Government (including diplomacy), NGOs, academia, energy, and defense.
- **Geography:** Ukraine (initial focus), Central Asia (current focus, especially Kazakhstan), and Eastern Europe.
- **Victims:** Ukrainian government entities; organizations within Central Asia; specifically, documents originating from the Ministry of Foreign Affairs of the Republic of Kazakhstan were used as lures.
## Tools & Infrastructure
- **Malware Families Used:** HATVIBE (loader), CHERRYSPY (Python backdoor), STILLARCH (DownEx).
- **Infrastructure:** Relies on remote servers to receive next-stage VBS modules for HATVIBE. (No specific C2 domains/IPs were defanged in the provided text).
## Implications
UAC-0063 functions as a dedicated cyber espionage arm for Russian intelligence, focused on high-value strategic intelligence collection regarding political and diplomatic relations, particularly concerning Kazakhstan's foreign relations in Central Asia. The use of sophisticated anti-analysis techniques and exclusive malware suggests a well-resourced and dedicated operation.
## Mitigations
- Implement robust email protection/sandboxing capable of analyzing malicious document macros, especially those from high-value external entities.
- Strong defenses against dynamic execution environments to counter anti-emulation and anti-analysis checks.
- Strict monitoring and alerting on the execution of `mshta.exe` from unusual parent processes (like Word/Office) or the creation of scheduled tasks without standard parent processes.
- Review activity related to the creation of temporary files in user profiles that trigger secondary execution chains.