November 22, 2024 at 07:12AM
Russian-linked threat group TAG-110 has been conducting a cyber espionage campaign targeting Central Asia, East Asia, and Europe, utilizing custom malware HATVIBE and CHERRYSPY. The campaign, focused on government and educational institutions, aims to gather intelligence to support Russia’s geopolitical interests, particularly in post-Soviet states.
**Meeting Takeaways – Cyber Espionage / Malware Discussion (Nov 22, 2024)**
1. **Threat Overview**:
– Russian-affiliated threat group TAG-110 is conducting cyber espionage in Central Asia, East Asia, and Europe.
– This group overlaps with CERT-UA’s UAC-0063 and APT28, indicating longstanding activity since at least 2021.
2. **Malware Utilization**:
– TAG-110 employs two primary custom malware tools:
– **HATVIBE**: Serves as a loader.
– **CHERRYSPY**: A Python-based backdoor for data exfiltration and espionage.
3. **Targeted Organizations**:
– Victims include government entities, human rights organizations, and educational institutions.
– Notable incidents were recorded primarily in Central Asian countries: Tajikistan, Kyrgyzstan, Kazakhstan, Turkmenistan, and Uzbekistan, with additional victims from Armenia, China, Hungary, India, Greece, and Ukraine.
4. **Attack Vectors**:
– **Initial Access**: Exploitation of vulnerabilities in public-facing web applications and phishing emails to deploy HATVIBE.
– The subsequent activation of CHERRYSPY for data gathering and exfiltration follows.
5. **Geopolitical Context**:
– The activities of TAG-110 are part of a broader Russian strategy to enhance intelligence gathering on geopolitical developments in post-Soviet states, especially in light of strained relations post-Ukraine invasion.
6. **Sabotage Operations**:
– Russia has escalated sabotage efforts across European critical infrastructure, aiming to destabilize NATO allies and undermine their support for Ukraine.
7. **Hybrid Warfare Strategy**:
– TAG-110’s operations are consistent with Russia’s hybrid warfare approach, which includes cyber and physical attacks to weaken NATO and maintain strategic influence.
8. **Future Outlook**:
– Anticipation of increased destructiveness in cyber operations aligning with the Gerasimov doctrine without escalating into outright war with NATO.
**Action Items**:
– Monitor updates on TAG-110 and related threat activities.
– Assess potential vulnerabilities within your organization’s cyber defenses.
– Enhance awareness and training related to phishing and cyber threat mitigation strategies.
For further insights, consider following updates from Recorded Future on social media platforms like Twitter and LinkedIn.