Menace actors with ties to Russia have been linked to a cyber espionage marketing campaign geared toward organizations in Central Asia, East Asia, and Europe.
Recorded Future’s Insikt Group, which has assigned the exercise cluster the identify TAG-110, stated it overlaps with a risk group tracked by the Pc Emergency Response Group of Ukraine (CERT-UA) as UAC-0063, which, in flip, overlaps with APT28. The hacking crew has been energetic since a minimum of 2021.
“Using custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily attacks government entities, human rights groups, and educational institutions,” the cybersecurity firm stated in a Thursday report. “HATVIBE functions as a loader to deploy CHERRYSPY, a Python backdoor used for data exfiltration and espionage.”
TAG-110’s use of HATVIBE and CHERRYSPY was first documented by CERT-UA again in late Might 2023 in reference to a cyber assault focusing on state businesses in Ukraine. Each the malware households had been once more noticed over a 12 months later in an intrusion of an unnamed scientific analysis establishment within the nation.
As many as 62 distinctive victims throughout eleven international locations have been recognized since then, with notable incidents in Tajikistan, Kyrgyzstan, Kazakhstan, Turkmenistan, and Uzbekistan, indicating that Central Asia is a main space of focus for the risk actor in a possible try to collect intelligence that informs Russia’s geopolitical aims within the area.
A smaller variety of victims have additionally been detected in Armenia, China, Hungary, India, Greece, and Ukraine.
Assault chains contain the exploitation of safety flaws in public-facing net purposes (e.g., Rejetto HTTP File Server) and phishing emails as an preliminary entry vector to drop HATVIBE, a bespoke HTML software loader that serves as a conduit to deploy the CHERRYSPY backdoor for knowledge gathering and exfiltration.
“TAG-110’s efforts are likely part of a broader Russian strategy to gather intelligence on geopolitical developments and maintain influence in post-Soviet states,” Recorded Future stated. “These regions are significant to Moscow due to strained relations following Russia’s invasion of Ukraine.”
Russia can be believed to have ramped up its sabotage operations throughout European important infrastructure following its full-scale invasion of Ukraine in February 2022, focusing on Estonia, Finland, Latvia, Lithuania, Norway, and Poland with the objective of destabilizing NATO allies and disrupting their help for Ukraine.
“These covert activities align with Russia’s broader hybrid warfare strategy, aiming to destabilize NATO countries, weaken their military capabilities, and strain political alliances,” Recorded Future stated, describing the efforts as “calculated and persistent.”
“As relations between Russia and the West will almost certainly remain fraught, Russia is very likely to increase the destructiveness and lethality of its sabotage operations without crossing the threshold of war with NATO as discussed in the Gerasimov doctrine. These physical attacks will likely complement Russian efforts in the cyber and influence operations realm in line with Russia’s hybrid war doctrine.”
