Full Report
Diplomatic entities in Kazakhstan and Central Asia have been targeted by UAC-0063 using weaponized Word docs deploying HATVIBE malware
Analysis Summary
# Threat Actor: UAC-0063 (Russia-aligned Intrusion Set)
## Attribution & Identity
* **Attribution:** Linked to Russia.
* **Known Aliases and Associated Groups:** Associated with APT28 (Russian state-sponsored group linked to the GRU), based on shared tactic overlaps identified by Recorded Future and CERT-UA.
* **Historical Activities Mentioned:** Previously reported by CERT-UA in July 2024 targeting Ukrainian scientific institutions using the HatVibe malware.
## Activity Summary
A cyber-espionage campaign detected in October 2024 targeting diplomatic entities in Kazakhstan and Central Asia. The campaign utilized weaponized Microsoft Word documents (discovered including files from the Ministry of Foreign Affairs of Kazakhstan and the Ministry of Defense of Kyrgyzstan, dating 2021–2024) to deliver malware and collect strategic intelligence. This activity aligns with the methodology of APT28.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear phishing via weaponized Microsoft Word documents containing malicious macros.
* **Execution Chain ("Double-Tap"):** Macro executes a second malicious Word document, leading to malware deployment.
* **Persistence:** Shares similarities with APT28's use of scheduled task persistence.
* **Defense Evasion/Loading:** Use of `mshta.exe` for scheduled task execution was noted as a detection opportunity.
* **Behavior:** Stealing strategic intelligence regarding diplomatic and economic relations.
* **MITRE ATT&CK IDs:** Not explicitly listed, but persistence via scheduled tasks aligns generally with T1053.
## Targeting
* **Sectors:** Diplomatic entities, Ministry of Foreign Affairs, Ministry of Defense, Scientific institutions (historical).
* **Geography:** Kazakhstan and Central Asia.
* **Victims:** Diplomatic entities in Kazakhstan; historical targeting includes Ukrainian scientific institutions. Specific entities mentioned include the Ministry of Foreign Affairs of Kazakhstan and the Ministry of Defense of Kyrgyzstan.
## Tools & Infrastructure
* **Malware Families Used:**
* **HatVibe:** A VBS backdoor used to retrieve and execute additional modules from a C2 server.
* **CherrySpy:** A more complex Python backdoor used for further intelligence gathering.
* **Infrastructure (C2, domains, IPs):** Unknown; C2 retrieval mentioned for HatVibe. No specific defanged URLs or IPs were provided in the summary text.
## Implications
The targeting suggests an effort by Russia to monitor and potentially influence the evolving geopolitical positioning of Kazakhstan, which has pursued a more "balanced diplomatic position" since the Russian invasion of Ukraine, including engaging with Western and Asian partners on trade and nuclear power infrastructure.
## Mitigations
* Monitor registry modifications that enable macros to run without user consent.
* Track the use of `mshta.exe` specifically for scheduled task execution.
* Implement detection rules (YARA and Sigma rules provided by Sekoia should be applied).