November 22, 2024 at 07:02AM
A Russia-linked cyberespionage group, TAG-110, has targeted over 60 victims across Asia and Europe, mainly in government and education, since at least 2021. Utilizing malware like HatVibe and CherrySpy, the group’s activities align with Russian geopolitical interests, particularly in Central Asia, impacting multiple sectors and national institutions.
### Meeting Takeaways
1. **Cybersecurity Threat Overview**:
– A Russia-linked cyberespionage group, identified as TAG-110, has targeted over 60 entities in Asia and Europe, primarily in government, human rights, and education sectors.
2. **Identification and Historical Activity**:
– TAG-110 was first identified in May 2023 and has been active since at least 2021. Its activities overlap with those of UAC-0063, associated with the Russian APT actor APT28.
3. **Targeted Regions**:
– The group has focused on entities in Central Asia, India, Israel, Mongolia, and Ukraine, with notable activity in Tajikistan, Kyrgyzstan, Turkmenistan, Kazakhstan, Armenia, China, Greece, Uzbekistan, and Hungary.
4. **Victims**:
– Identified victims include Kazakh state-owned oil and gas subsidiary KMG-Security, a Tajik educational institution, and Uzbekistan’s National Center for Human Rights.
5. **Malware and Techniques**:
– TAG-110 has utilized malware such as HatVibe and CherrySpy. HatVibe is an HTML Application (HTA) loader, while CherrySpy is a custom Python backdoor for system monitoring and information exfiltration.
6. **Initial Access Methods**:
– The group often gains initial access through malicious email attachments and by exploiting vulnerabilities in internet-facing services like Rejetto HTTP File Server (HFS).
7. **Strategic Objectives**:
– The activities of TAG-110 align with Russia’s geopolitical aims, especially regarding maintaining influence in Central Asia and supporting military efforts through gathered intelligence.
8. **Future Implications**:
– The ongoing cyberespionage campaigns may continue to evolve, necessitating heightened vigilance and proactive cybersecurity measures from targeted organizations.
### Action Items
– Monitor and assess cybersecurity defenses against targeted malware techniques like HatVibe and CherrySpy.
– Stay informed about potential geopolitical developments that could influence TAG-110’s operations.
– Consider implementing training and resources for affected sectors to strengthen defenses against cyberespionage activities.