A report exposing Russia’s latest cyber attack on Kazakhstan’s government was released this past month by the French-based cyber-security company, Sekoia.  This incident infected multiple official documents and emails with malware, threatening widespread security problems for Central Asia’s largest economy.  For many countries bordering Russia, and particularly Central Asia these days, cyber-attacks are a constant reminder of the Kremlin’s regional aggression.  

The Sekoia report exposed the latest attempt by Russia to utilize cyber-attacks to maintain influence in Central Asia. In April 2024, Ukraine’s Computer Emergency Response Team (CERT-UA) discovered fake emails containing malware had been sent from the Embassy of Tajikistan in Ukraine, disguised as typical documents and links.  The attack pattern was identified as UAC-0063, a software attack model used by Russia since 2021 to spy on foreign officials.  

The French cyber-security company built on CERT-UA’s findings and discovered additional phishing emails.  Utilizing patterns found in various models of Russian espionage campaigns, on October 16, 2024, Sekoia discovered additional infected files sent from Kazakhstan’s embassies in Afghanistan and Belgium to the Ministry of Foreign Affairs. 

After this document, Sekoia researchers found 10 additional files that had yet to be exposed.  Many of these Word documents originated from the Ministry of Foreign Affairs of the Republic of Kazakhstan and were correspondence letters, drafts, and administrative notes.  Researchers estimate this cyber-attack to have taken place from 2021 to October 2024, when Sekoia discovered the final document.  Ironically, the first document discovered was an administrative note alerting officials to the threat of cyber espionage attempts. 

According to the French researchers, the recent attack’s execution is familiar, but the exact code utilized is new.  Files are sent to officials, and once opened, an additional blank document is downloaded and plants a virus.  These intrusion attacks are central to espionage campaigns by Moscow.  During these attacks, fake emails are sent to government officials, official documents are corrupted with malware, and Russia gains access to the content on official desktops. 

This latest malicious code is associated with APT28 (also referred to as Fancy Bear and Pawn Storm), a group affiliated with Russia’s general Staff Main Intelligence Directorate (GRU).  This group has conducted espionage campaigns against Central Asia before, relying upon a malware system called Zebrocy.

From 2015 to 2020, APT28 conducted cyber-attacks against government groups in the Central Asian region.  For example, in 2019, APT28 conducted a phishing campaign against embassies and foreign affairs ministers in Eastern Europe and Central Asia.  This attack created a “backdoor” allowing attackers to have continuous access to computers on officials’ desktops, yielding to Russia direct access to confidential documents.

For decades, Russia has stolen information from, or planted malware in, important governmental or civilian organizations.  The first known Russian cyber-attack occurred in May 2007 against Estonia when government networks were overwhelmed by junk traffic created by an unknown group of hackers (believed to have been funded by the Russian government).  With some online government services and some bank systems disrupted, this was not an aggressive attack, but notable in signaling to the international community Russia’s growing cyber competency. 

Since 2007, Russian cyberattacks have increased in frequency and intensity.  Russia’s 2014 invasion of Crimea led to a large increase of cyber espionage and interference.  During the lead-up to Russia’s 2022 invasion of Ukraine, 288,000 cyber-attacks took place against the Ukraine government, targeting critical infrastructure, such as power, banking, and official communications.

With many countries in Central Asia distancing themselves from Russia, Moscow is increasingly investing in closely monitoring its neighbors.  Kazakhstan, in particular, is traditionally thought of as a Russian ally.  Yet, its growing independent foreign policy, catalyzed by Russia’s invasion of Ukraine, presents a problem for its northern neighbor.  As Kazakhstan and the rest of Central Asia continue to diversify their international trade and cooperation, continuing to track Russia’s cyber capabilities is vital.