Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering

Kazakhstani Espionage Group Targets Neighboring Governments

Group Masqueraded as Azerbaijani Hackers to Hide Affiliation With Kazakhstan
Kazakhstani Espionage Group Targets Neighboring Governments
The presidential Palace of Nations in Dushanbe, Tajikistan, one of the countries hit by the YoroTrooper group (Image: Shutterstock)

A Kazakhstan-based cyberespionage group that has been stealing credentials and data from government agencies of the Commonwealth of Independent States countries is going great lengths to hide its identity. The group is using custom malware and evasion techniques to pose as Azerbaijani hackers.

See Also: New Zealand Ministry of Education Protecting Student and Faculty Communications Nationwide

Cybersecurity company Cisco Talos said Wednesday the cyberespionage actor, dubbed YoroTrooper, used VPN exit nodes local to Azerbaijan to make it appear as if the operations originated in that country.

But researchers said YoroTrooper either acted under the direction of the Kazakhstani state or stole data to sell it to Kazakhstan, based on several factors including the group's fluency in Kazakh and Russian languages, its use of Kazakhstani currency and focus on the security of the Kazakhstani state-owned email service. The group targeted only one Kazakhstani organization this year - the Anti-corruption Agency.

YoroTrooper hosted a majority of its infrastructure in Azerbaijan despite not speaking the Azerbaijani language, and researchers said the hackers used Google Translate to translate text from Russian to Azerbaijani to use in phishing attacks.

Cisco Talos first outed the group in March, warning that YoroTrooper conducted espionage operations to target government and energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States countries since at least June 2022.

YoroTrooper deployed a range of infostealers and commodity malware such as AveMaria/Warzone RAT, LodaRAT and Meterpreter to exfiltrate confidential secrets from multiple entities, including embassies of European countries in Azerbaijan and Turkmenistan, the World Intellectual Property Organization and a critical European Union healthcare agency. Talos researchers did not associate the threat actor with Kazathstan at that time.

This week, Cisco Talos said YoroTrooper has moved away from commodity malware since March and increasingly relies on "new custom malware spanning across different platforms such as Python, PowerShell, GoLang and Rust."

"YoroTrooper relies heavily on learning on the go to carry on their malicious activities," Cisco Talos said. "We've observed the operator constantly attempting to buy new tools such as VPN connections."

Since June, the group has used custom malware and a variety of credential-stealing tools to steal data including about 165MB of documents from a Tajik government official's computer. The group also compromised the websites of Tajikistan's Chamber of Commerce and Industry and the Drug Control Agency.

YoroTrooper later compromised the websites of Kyrgyzstan's state-owned coal enterprise and used spear-phishing tactics to victimize a state employee of the Ministry of Transport and Roads. The group also hit a high-ranking official from the Uzbek Ministry of Energy.

Cisco Talos said YoroTrooper uses Google, Shodan and Censys to search for vulnerable PHP-based servers and find vulnerabilities and data exposure before sending spear-phishing emails to employees. The phishing emails direct victims to attacker-controlled pages designed to harvest credentials.

"Our research also indicated that the group actively relies on vulnerability scanners, such as Acunetix, and open-source data, such as the information available on Shodan, to locate and infiltrate the public-facing servers of their targets," researchers said.

Threat actors also ported their Python-based remote access tool to PowerShell in February to reduce the malware's footprints on infected systems and began using Windows executables in place of LNK and HTA-based infection chain to prevent researchers from accurately attributing the attacks.


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.