Ethical Hacking News
Russia-linked threat actors, identified as TAG-110, have been employed custom malware tools to target organizations in Asia and Europe. The campaign, which primarily focused on government entities, human rights groups, and educational institutions in Central Asia, East Asia, and Europe, has raised concerns about the sophistication of Russian cyber espionage capabilities. This article provides a detailed analysis of TAG-110's tactics, techniques, and procedures, highlighting the complexity and persistence of their campaigns.
Russia-linked threat actors (TAG-110) have been targeting organizations in Asia and Europe with custom malware tools. TAG-110's tactics, techniques, and procedures align with those of historical Russian APTs like Fancy Bear and Strontium. The group uses HATVIBE loader to deliver malware such as CHERRYSPY, a Python backdoor that enables encrypted data exfiltration. TAG-110 has been targeting government agencies, human rights organizations, and educational institutions in Central Asia with the goal of extracting sensitive information and monitoring systems. The campaign suggests a strategic interest in maintaining influence in the region, particularly amid strained relations following Russia's invasion of Ukraine. TAG-110 is expected to continue its cyber-espionage campaigns, focusing on post-Soviet Central Asian states, Ukraine, and Ukraine's allies.
In a recent alert, the Insikt Group revealed that Russia-linked threat actors, identified as TAG-110, have been employing custom malware tools to target organizations in Asia and Europe. The campaign, which primarily focused on government entities, human rights groups, and educational institutions in Central Asia, East Asia, and Europe, has raised concerns about the sophistication of Russian cyber espionage capabilities.
TAG-110's tactics, techniques, and procedures (TTPs) align with those of historical operations attributed to Russian APT APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM. The group's use of HATVIBE loader to deliver malware such as CHERRYSPY highlights the complexity and persistence of their campaigns.
CHERRYSPY, a Python backdoor, enables encrypted data exfiltration using RSA and AES. TAG-110 has been known to target government and research entities to extract sensitive information and monitor systems. The use of HATVIBE loader to deploy CHERRYSPY demonstrates the group's expertise in creating custom malware tools.
The campaign's targets have included government agencies, human rights organizations, and educational institutions in Kazakhstan, Kyrgyzstan, and Uzbekistan. The fact that TAG-110 has been actively targeting Central Asian countries suggests a strategic interest in maintaining influence in the region, particularly amid strained relations following Russia's invasion of Ukraine.
Insikt Group researchers pointed out that intelligence gathered by TAG-110 supports Russia's military strategies and enhances understanding of regional dynamics. The group is expected to continue its cyber-espionage campaigns, focusing on post-Soviet Central Asian states, Ukraine, and Ukraine's allies.
The report includes Indicators of Compromise (IoCs) along with Snort and Yara rules, providing a valuable resource for cybersecurity professionals seeking to detect and mitigate potential threats. The discovery of TAG-110 highlights the ongoing threat posed by Russia-linked APTs and underscores the need for robust cybersecurity measures to protect critical infrastructure and sensitive information.
Related Information:
https://securityaffairs.com/171343/apt/tag-110-targets-asia-europe.html
https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-asia-and-europe
https://thehackernews.com/2024/11/russian-hackers-deploy-hatvibe-and.html
https://cyberpress.org/tag-110-strikes-with-hatvibe-cherryspy/
https://en.wikipedia.org/wiki/Fancy_Bear
https://www.crowdstrike.com/en-us/blog/who-is-fancy-bear/
https://www.civilsdaily.com/news/strontium-a-cyber-espionage-group/
Published: Mon Nov 25 04:42:08 2024 by llama3.2 3B Q4_K_M
