Sikov -

Cyber espionage campaign targeted central Asian states

The Afghan, Kyrgyz and Uzbek governments are all thought to have been targeted by the same APT

The governments of Afghanistan, Kyrgyzstan and Uzbekistan have all been targeted by a Chinese-state-backed advanced persistent threat (APT) group, dubbed IndigoZebra, according to intelligence produced by Check Point Research (CPR).

The group appears to have infiltrated the Afghan National Security Council (NSC) in a targeted, tailored spear phishing attack, by sending an email with a document attached for review which impersonated the Office of the President of Afghanistan as a lure to infiltrate the NSC.

“The detection of cyber espionage continues to be a top priority for us. This time, we’ve detected an ongoing spear-phishing campaign targeting the Afghan government. We have grounds to believe that Uzbekistan and Kyrgyzstan have also been victims. We’ve attributed our findings to a Chinese-speaking threat actor,” said Check Point’s threat intelligence head Lotem Finkelsteen.

The malicious document – which purported to have something to do with an upcoming press conference – was an archive file containing malware, disguised as a password-protected RAR archive named ‘NSC Press conference.rar’.

Once opened, the extracted file, named ‘NSC Press conference.exe’ acted as a backdoor dropper. To reduce suspicion, the malware deployed a sneaky trick – the email’s content having suggested the attached file was a document, it also opened the first document it found on the victim’s desktop.

“What is remarkable here is how the threat actors utilised the tactic of ministry-to-ministry deception. This tactic is vicious and effective in making anyone do anything for you. In this case, the malicious activity was seen at the highest levels of sovereignty,” said Finkelsteen.

The backdoor then called back to a preconfigured, and unique to every victim, folder controlled by the attackers and hosted on the Dropbox cloud storage service, which served as the address from which it pulled further commands and stored the exfiltrated information – effectively exploiting Dropbox as a command and control centre. When the group needed to send a file or command to the victim’s system, they laced them in the folder named ‘d’ in the victim’s Dropbox folder, to be retrieved and downloaded by the malware.

“It’s noteworthy how the threat actors utilise Dropbox to mask themselves from detection, a technique that I believe we should all be aware of and watch out for,” said Finkelsteen.

“It’s possible that other countries have also been targeted by this hacker group, though we don’t know how many or which countries. Hence, we’re sharing a list of other possible domains used in the attack at this time, in hope that their names can be leveraged by other cyber researchers for contribution to our own findings.”

Ultimately, the group performed a number of actions on the NSC’s systems, including downloading and executing a scanning tool known to be widely used by multiple APT actors, including China-based APT10; the execution of Windows’ built-in networking utility tools; and accessing and stealing the victim’s files.

Besides the campaign targeting Afghanistan, CPR found variants targeting political bodies in two other central Asian countries, Kyrgyzstan and Uzbekistan – specific indicators of the victimology can be found in its full technical report.

The IndigoZebra group has been known to the cyber security community for some time, and its campaign is thought to date back several years, possibly as far as 2014, said CPR.

In 2017, Kaspersky noted a campaign against former Soviet republics in central Asia using a wide variety of malware including Meterpreter, Poison Ivy and xDown. Kasperksy said that it was likely conducting intelligence gathering, and later the same year suggested IndigoZebra was specifically targeting countries that had held negotiations with Russia.

Read more about state-backed cyber activity

Read more on Hackers and cybercrime prevention

Data Center
Data Management