Threat actors associated with Russia are reportedly conducting a cyber espionage campaign targeting organizations in Central Asia, East Asia, and Europe. The campaign, identified as TAG-110 by Recorded Future's Insikt Group, shows connections to UAC-0063, a threat group linked to APT28 by the Computer Emergency Response Team of Ukraine (CERT-UA). These activities have been traced back to at least 2021.

Targeted Sectors and Tools Utilized

TAG-110 has primarily focused on government agencies, human rights organizations, and educational institutions. The group's attacks employ two custom malware tools: HATVIBE and CHERRYSPY. HATVIBE serves as a loader, facilitating the deployment of CHERRYSPY, a Python-based backdoor, which is used for data theft and espionage activities. The proliferation of HATVIBE and CHERRYSPY was initially documented by CERT-UA in May 2023, involving an attack on Ukrainian state agencies. More recently, these malware families were detected during an intrusion at a scientific research institution in Ukraine. To date, 62 unique victims in eleven countries have fallen prey to this campaign, with significant occurrences in Central Asian countries such as Tajikistan, Kyrgyzstan, Kazakhstan, Turkmenistan, and Uzbekistan.

Attack Methodology

The attack sequences typically involve exploiting vulnerabilities in public-facing web applications, such as the Rejetto HTTP File Server, alongside phishing emails as initial access methods. These vectors are used to plant HATVIBE, which subsequently deploys the CHERRYSPY backdoor for data extraction.

Strategic Objectives

According to Recorded Future, the operations are likely aligned with broader Russian strategies to gather intelligence on geopolitical developments and influence post-Soviet states. This focus reflects the strategic importance of these regions to Moscow, particularly following the strained relations due to Russia's invasion of Ukraine. In addition to cyber operations, Russia has allegedly increased its sabotage efforts targeting critical European infrastructure post-invasion. Affected nations include Estonia, Finland, Latvia, Lithuania, Norway, and Poland. These actions are perceived as attempts to destabilize NATO allies and undermine their support for Ukraine. Recorded Future characterizes these Russian activities as part of a calculated and persistent hybrid warfare strategy, aiming to destabilize NATO, reduce military strength, and challenge political alliances. As relations remain tense, the intensity and frequency of these operations could increase, complementing broader influence efforts under the principles of Russia's hybrid warfare tactics.

The link has been copied!