It has been discovered by the cybersecurity expert MalwareHunterTeam. The lure is a supposed unusually activity on the victim’s account. The goal: steal PII and sensitive data.
Qihoo 360: Kazakhstan suffered an extensive hacking operation by a cyber espionage group. Both with spear phishing and physical access to devices
Kazakhstan suffered an extensive hacking operation. It has been discovered by Qihoo 360 cyber security experts. Targets included individuals and organizations, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats. The campaign was broad and appears to have been carried by a threat actor with considerable resources. One who had the ability to develop private hacking tools, buy expensive spyware off the surveillance market, and even invest in radio communications interception hardware. Signs point that some attacks relied on sending targets carefully crafted emails carrying malicious attachments (spear-phishing), while others on getting physical access to devices, suggesting the use of on-the-ground operatives deployed in Kazakhstan.
The chinese cyber security experts dubbed the group as Golden Falcon (aka APT-C-34). But Kaspersky believes that is DustSquad, already known for cyber espionage operations
According to the cyber security experts, the group behind this extensive campaign is Golden Falcon (aka APT-C-34). For Qihoo 360 the malicious hackers are a new entity. But Kaspersky, reached out by ZDNet, believes that the threat actor is DustSquad, a cyber-espionage squad active since since 2017. The only report detailing its previous hacking operations dates back to 2018 when it was seen using spear-phishing emails that lead users to a malware-laced version of Telegram. Just like the attacks documented by Qihoo this week, the 2018 attacks also focused on Kazakhstan but had used a different malware strain. The vendor gained access to one of Golden Falcon’s command and control (C&C) server, from where they retrieved operational data about the group’s activities. All the stolen information was arranged in per-city folders, with each city folder containing data on each infected host.