Cyber-Espionage Campaign by TAG-110 Targets Multiple Regions
/ 3 min read
Quick take - Insikt Group has reported the emergence of a cyber-espionage campaign attributed to the Russian-aligned group TAG-110, which targets government entities, human rights organizations, and educational institutions across Central Asia, East Asia, and Europe, employing custom malware and phishing tactics to gather intelligence on geopolitical developments.
Fast Facts
- TAG-110, a cyber-espionage group aligned with Russia, targets organizations in Central Asia, East Asia, and Europe, focusing on government entities, human rights organizations, and educational institutions.
- The group has been linked to 62 cyber incidents since July 2024, with notable activity in Kazakhstan, Kyrgyzstan, and Uzbekistan, supporting Russia’s intelligence-gathering strategy in post-Soviet states.
- TAG-110 employs custom malware tools, including HATVIBE (a loader) and CHERRYSPY (a Python-based backdoor), utilizing phishing and web service vulnerabilities for initial access.
- The campaign uses advanced obfuscation techniques and secure communication methods, including RSA and AES encryption, to evade detection and exfiltrate sensitive data.
- Insikt Group has provided actionable insights for organizations to defend against TAG-110’s threats, emphasizing the importance of monitoring, patching vulnerabilities, and enhancing threat awareness.
Emergence of Cyber-Espionage Campaign by TAG-110 Targeting Central Asia, East Asia, and Europe
Insikt Group has reported the emergence of a cyber-espionage campaign attributed to TAG-110, a threat group aligned with Russia. TAG-110 primarily targets organizations in Central Asia, East Asia, and Europe, focusing on government entities, human rights organizations, and educational institutions. Their tactics are reminiscent of those used by UAC-0063, which is linked to the Russian Advanced Persistent Threat (APT) group BlueDelta, also known as APT28.
Recent Activities and Targets
Since July 2024, TAG-110 has been implicated in cyber incidents affecting 62 victims across eleven countries. Notable activity has been observed in Kazakhstan, Kyrgyzstan, and Uzbekistan. The group’s operations are believed to support Russia’s broader strategy of gathering intelligence on geopolitical developments, particularly in post-Soviet states.
The campaign employs custom malware tools identified as HATVIBE and CHERRYSPY. HATVIBE functions as a loader, delivering CHERRYSPY, a Python-based backdoor designed for secure data exfiltration and espionage. Initial access to targeted systems is typically achieved through phishing emails, with exploitation of vulnerabilities in web-facing services, such as the Rejetto HTTP File Server, being a common method.
Malware Techniques and Communication
Notably, the campaign has been linked to the exploitation of CVE-2024-23692, highlighting the ongoing threat posed by public-facing vulnerabilities. HATVIBE utilizes various obfuscation techniques, including VBScript encoding and XOR encryption, to evade detection. It establishes persistence through scheduled tasks executed by the mshta.exe utility. Communication with command-and-control (C2) servers is conducted via HTTP PUT requests that relay system information.
The identified C2 infrastructure for HATVIBE includes domains such as trust-certificate[.]net and experience-improvement[.]com, while CHERRYSPY utilizes C2 domains including internalsecurity[.]us and errorreporting[.]net. CHERRYSPY enhances its capabilities by monitoring systems and extracting sensitive information, particularly from governmental and research organizations. RSA and AES encryption methods are employed for secure communication with its C2 servers.
Implications and Recommendations
The intelligence gathered through these operations is believed to augment Russia’s military efforts and improve understanding of regional dynamics, especially following the invasion of Ukraine. Insikt Group has provided actionable insights to assist organizations in defending against these threats, including indicators of compromise, detection rules, and recommended mitigation strategies. These strategies emphasize monitoring for known indicators, patching vulnerabilities, enhancing threat awareness, and utilizing intelligence tools.
As TAG-110’s activities align with Russian geopolitical interests, particularly in Central Asia, it is anticipated that the group will persist in its cyber-espionage endeavors, with a continued focus on Ukraine and neighboring post-Soviet states. While the connection between TAG-110 and BlueDelta remains unconfirmed, the strategic overlap in their operations suggests a coordinated effort to bolster Russian influence in the region.
Original Source: Read the Full Article Here
