A cybersecurity investigation has discovered a highly skilled hacking group linked to a Russian intelligence group called Fancy Bear (also known as APT28), which has unleashed a spearphishing campaign targeting Kazakhstan's government officials. According to Sekoia’s research, the group uses authentic Kazakh government documents like diplomatic statements, correspondence letters, and internal administrative notes between 2021 and 2024, embedded with malware, to compromise the government official systems and conduct espionage activities, which in many cases appear to be identical to real documents or documents published by the Kazakh Ministry of Foreign Affairs.
These attacks are also linked to an intrusion previously identified by the Ukrainian government in 2023 by the APT28, which has also been attributed by Ukraine’s CERT and is also believed to relate to Moscow’s Main Intelligence Directorate (GRU). These cyber groups are known to use cyber operations to spy on government activities and operations on behalf of the Russian government.
How it happened
The attack vector used a spearphishing campaign to deliver a malicious document to the Kazakh diplomatic target. This was a smart strategy that was used in delivering the malware to the target. First, the spearphising email sent to diplomatic personnel appeared legitimate while containing macros that, when executed, start a sequence leading to the deployment of malware strains named HATVIVE and CHERRYSPY. This method is called ‘double tap,’ which means once the recipient opens the first document, the macros are then executed and trigger other malicious documents, bypassing security measures that detect single-file exploits. HATVIBE and CHERRYSPY are two malware viruses that allow developers to establish persistence access to the infected systems. This is possible because the malicious macro files in Word downgrade the victim’s system security settings, save the HATVIBE variable on their storage drives, and launch a clandestine program developed to execute malware every four minutes. Once the attackers get access to the systems, the damages are endless; they could steal sensitive information, monitor internal and external communication, and make strategic moves within Kazakhstan’s government networks.
Vulnerability it Exploited
The APT28 spearphishing attacks against Kazakh government organisations and the Russian-affiliated group UAC-0063—also known as Fancy Bear—mostly used social engineering techniques. The attackers began the malware by deceiving recipients into enabling harmful macros in Microsoft Word documents appearing to be authentic.
The attackers exploited the tendency of humans to trust and open documents they had grown familiar with, even though it wasn’t based on a particular application vulnerability. Once activated, the compromised macros conducted a multi-stage infection chain known as "Double-Tap," opening a second hidden Word document and installing malware such as CHERRYSPY and HATVIBE.
Although no particular zero-day hack has been verified, APT28 has a track record of using Office flaws. Similar Russian-linked organisations have past exploits, including:
CVE-2017-11882: A memory corruption vulnerability that allows remote code execution in Microsoft Office.
CVE-2022-30190 (Follina) is a vulnerability in the Microsoft Support Diagnostic Tool (MSDT) allowing specifically created documents to run codes.
If the Kazakh government were using outdated Office versions, these or similar vulnerabilities may have been used to run code without macros.
The Damages caused by this Attack
Usually highly confidential, government records include a lot of information about national development plans, safety policies, and occasionally lean towards the economy. As the APT28 obtained illegal access to the government's confidential communication and documents, which may expose diplomatic and economic strategic information, the attack directed against the Kazakh government resulted in some consequences. The primary damage would be data theft; the attacker may have stolen sensitive diplomatic communication, agreements, and intelligence. This could affect Kazakhstan international negotiations, especially Germany-Central Asia. Secondly, depleting trust in communication systems; the employment of appropriate similarity of government documents in this attack has undermined confidence among government personnel inside the internal communication networks; hence, it may be causing a lack of confidence during information sharing. Third, this attack also required the government to allocate resources for incident responses; the Ministry of Digital Technology has initiated an investigation and audit to assess and mitigate breaches, causing the diversion of resources that could be useful to be utilised in other critical areas.
Fourth, Kazakhstan will suffer reputational damage; if other countries see Kazakhstan security as weak, they might hesitate to share sensitive information with them, which may isolate them from diplomatic negotiations.
Fifth, geopolitical damage: Russia having insight into a Central Asia alliance with Germany could let them counter those initiatives, compromising EU or western power, which could change the regional alliance, therefore causing huge strategic damage.
Finaly, there could be legal and financial repercussions; for instance, if personal data was compromised, the country might face GDPR fines, especially if the person is an EU citizen. Recovering from the attack would cost huge money in cybersecurity upgrades and incident responses.