Skip to content

Russian hackers target 62 organisations across 11 countries

  • by
  • 3 min read

A newly identified cyber-espionage campaign, attributed to the Russian-aligned threat group TAG-110, is actively targeting key organisations in Central Asia, East Asia, and Europe. The campaign’s victims span 62 organisations across 11 countries, including Armenia, Greece, China, Hungary, India, Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.

This group, suspected of being linked with the Russian advanced persistent threat (APT) group BlueDelta (APT 28), has been deploying custom malware tools — Hatvibe and Cherryspy — to execute espionage operations aimed at governments, human rights groups, and educational institutions across the regions.

The targeted countries are of significant strategic interest to Russia, which seeks to exert its geopolitical influence in the region. Researchers observed that the tactics and malware used in the campaign suggest that it forms part of a broader Russian intelligence-gathering effort to monitor geopolitical developments and influence outcomes in post-Soviet states.

“TAG-110’s activities align with Russia’s geopolitical objectives, particularly in Central Asia, where Moscow seeks to maintain influence amid strained relations. Intelligence gathered through these campaigns likely aids in bolstering Russia’s military efforts and understanding regional dynamics,” researchers said.

11 countries targeted by Russian TAG-110. | Source: Recorded Future

Hatvibe loader is primarily used to deploy additional malicious payloads like Cherryspy. It is delivered through malicious email attachments or by exploiting vulnerable web-facing services, including those based on the Rejetto HTTP File Server.

Once deployed, Hatvibe achieves persistence on compromised systems by creating scheduled tasks that run via the mshta.exe utility. The loader is designed with obfuscation techniques, such as VBScript encoding and XOR encryption, making it challenging for traditional security measures to detect.

It then communicates with a command-and-control (C2) server using HTTP PUT requests, sending back vital system information.

Complementing Hatvibe is Cherryspy, a backdoor tool that facilitates secure data exfiltration. It uses robust encryption methods like RSA and AES to establish a secure channel with its C2 server, enabling attackers to monitor victim systems and extract sensitive information.

Infrastructure, targets, and malware capabilities of TAG-110. | Source: Recorded Future

Governments, human rights organisations, and academic institutions have been primary targets. The malware primarily extracts critical data that could be valuable for geopolitical intelligence.

Researchers observed that TAG-110’s cyber activities align closely with Russia’s national security interests, particularly its desire to maintain influence in Central Asia and the broader post-Soviet space. This region is crucial for Russia’s geopolitical strategy, especially in the context of the ongoing tensions between Russia and Western powers following the invasion of Ukraine.

Cyber security experts have urged organisations to monitor for indicators of compromise, deploy detection rules, patch vulnerabilities like CVE-2024-23692, and train employees on cybersecurity.

In the News: Report finds nearly 400,000 systems vulnerable to 2023’s most exploited flaws

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>