Extensive hacking operation discovered in Kazakhstan

Researchers say an advanced hack­ing group has been using cus­tom-devel­oped hack­ing tools, expen­sive sur­veil­lance kits, mobile mal­ware, and radio com­mu­ni­ca­tions inter­cep­tion hard­ware to spy on Kazakhstan targets.

Chinese cyber-secu­ri­ty ven­dor Qihoo 360 pub­lished a report on Friday expos­ing an exten­sive hack­ing oper­a­tion tar­get­ing the coun­try of Kazakhstan.

Targets includ­ed indi­vid­u­als and orga­ni­za­tions involv­ing all walks of life, such as gov­ern­ment agen­cies, mil­i­tary per­son­nel, for­eign diplo­mats, researchers, jour­nal­ists, pri­vate com­pa­nies, the edu­ca­tion­al sec­tor, reli­gious fig­ures, gov­ern­ment dis­si­dents, and for­eign diplo­mats alike.

The cam­paign, Qihoo 360 said, was broad, and appears to have been car­ried by a threat actor with con­sid­er­able resources, and one who had the abil­i­ty to devel­op their pri­vate hack­ing tools, buy expen­sive spy­ware off the sur­veil­lance mar­ket, and even invest in radio com­mu­ni­ca­tions inter­cep­tion hardware.

Signs point that some attacks relied on send­ing tar­gets care­ful­ly craft­ed emails car­ry­ing mali­cious attach­ments (spear-phish­ing), while oth­ers relied on get­ting phys­i­cal access to devices, sug­gest­ing the use of on-the-ground oper­a­tives deployed in Kazakhstan.


Qihoo researchers named the group behind this exten­sive cam­paign Golden Falcon (or APT-C-34). The Chinese secu­ri­ty ven­dor claimed the group was new, but when ZDNet reached out to Kaspersky, we were told Golden Falcon appears to be anoth­er name for DustSquad, a cyber-espi­onage enti­ty that has been active since 2017.

The only report detail­ing its pre­vi­ous hack­ing oper­a­tions dates back to 2018 when it was seen using spear-phish­ing emails that lead users to a mal­ware-laced ver­sion of Telegram.

Just like the attacks doc­u­ment­ed by Qihoo this week, the 2018 attacks also focused on Kazakhstan but had used a dif­fer­ent mal­ware strain.

Qihoo’s new report is pri­mar­i­ly based on data the Chinese com­pa­ny obtained after it gained access to one of Golden Falcon’s com­mand and con­trol (C&C) serv­er, from where they retrieved oper­a­tional data about the group’s activities.

Here, the Chinese firm said it found data retrieved from infect­ed vic­tims. Collected data involved pri­mar­i­ly office doc­u­ments, tak­en from hacked computers.

All the stolen infor­ma­tion was arranged in per-city fold­ers, with each city fold­er con­tain­ing data on each infect­ed host. Researchers said they found data from vic­tims locat­ed in Kazakhstan 13 largest cities, and more.

The data was encrypt­ed, but researchers said they were able to decrypt it. Inside, they also found evi­dence that Golden Falcon was also spy­ing on for­eign nation­als in the coun­try — with Qihoo nam­ing Chinese inter­na­tion­al stu­dents and Chinese diplo­mats as targets.


Files on the C&C serv­er revealed what types of hack­ing tools this group was using. Two tools stood out. The first was a ver­sion of RCS (Remote Control System), a sur­veil­lance kit sold by Italian ven­dor HackingTeam. The sec­ond was a back­door tro­jan named Harpoon (Garpun in the Russian lan­guage) that appears to have been devel­oped by the group itself.

In regards to its use of RCS, what stood out was that Golden Falcon was using a new ver­sion of RCS. The RCS ver­sion num­ber is impor­tant because, in 2015, a hack­er breached and then leaked all the HackingTeam’s inter­nal files, includ­ing the source code for RCS.

At the time, the RCS ver­sion num­ber was 9.6. According to Qihoo, the ver­sion num­ber for the RCS instances they found in Golden Falcon’s pos­ses­sion was 10.3, a new­er ver­sion, mean­ing the group most like­ly bought a new­er ver­sion from its distributor.

But Golden Falcon was also in the pos­ses­sion of anoth­er potent tool. Qihoo says the group was using a unique back­door that has­n’t been seen out­side the group’s oper­a­tions and was most like­ly their own creation.

The Chinese ven­dor said it obtained a copy of this tool’s man­u­al. It is unclear if they found the man­u­al on the group’s C&C serv­er, or if they obtained it from anoth­er source. The man­u­al, how­ev­er, shows a well-devel­oped tool with a large fea­ture-set, on par with many of today’s top exist­ing back­door trojans.

Features include:

  • Keylogging
  • Steal clip­board data
  • Take screen­shot of the active win­dow at pre­de­ter­mined intervals
  • List the con­tents of a giv­en directory
  • Get Skype login name, con­tact list, and chat mes­sage history
  • Get Skype and Google Hangouts con­tacts and voice recordings
  • Record sound via the micro­phone, eavesdropping
  • Copy a spec­i­fied file from the tar­get computer
  • Automatically copy files from remov­able media
  • Store all inter­cept­ed data in an encrypt­ed data file, inside a spec­i­fied directory
  • Send stolen data to a spec­i­fied FTP server
  • Run a pro­gram or oper­at­ing sys­tem command
  • Download files from a giv­en FTP into a spe­cif­ic directory
  • Remotely recon­fig­ure and update components
  • Receive data files from a giv­en FTP and auto­mat­i­cal­ly extract the files to a spec­i­fied directory
  • Self-destruct

Most of the fea­tures list­ed above are the norm for most high-lev­el back­door tro­jans, usu­al­ly encoun­tered in nation-state lev­el cyber-espionage.


But Qihoo researchers also found addi­tion­al files, such as con­tracts, sup­pos­ed­ly signed by the group.

It is impor­tant to point out that cyber-espi­onage groups don’t leave con­tracts sit­ting around on C&C servers. It is unclear if these con­tracts were found on Golden Falcon’s C&C serv­er, or were retrieved from oth­er sources. Qihoo did­n’t say.

One of these con­tracts appears to be for the pro­cure­ment of a mobile sur­veil­lance toolk­it known as Pegasus. This is a pow­er­ful mobile hack­ing tool, with Android and iOS ver­sions, sold by NSO Group.

The con­tract sug­gests that Golden Eagle had, at least, shown inter­est in acquir­ing NSO’s Android and iOS sur­veil­lance tools. It is unclear if the con­tract was ever com­plet­ed with a sale, as Qihoo did­n’t find any evi­dence of NSO’s Pegasus beyond the contract.

Either way, Golden Eagle did have mobile hack­ing capa­bil­i­ties. This capa­bil­i­ty was pro­vid­ed via Android mal­ware sup­plied by the HackingTeam.

Qihoo said the mal­ware they ana­lyzed includ­ed 17 mod­ules with fea­tures rang­ing from audio eaves­drop­ping to brows­er his­to­ry track­ing, and from steal­ing IM chat logs to track­ing a vic­tim’s geo-location.


A sec­ond set of con­tracts showed that Golden Falcon had also acquired equip­ment from Yurion, a Moscow-based defense con­trac­tor that’s spe­cial­ized in radio mon­i­tor­ing, eaves­drop­ping, and oth­er com­mu­ni­ca­tions equipment.

Again, Qihoo only shared details about the con­trac­t’s exis­tence, but could not say if the equip­ment was bought or used — as such capa­bil­i­ties go beyond the tools at the dis­pos­al of a reg­u­lar secu­ri­ty soft­ware company.


The Chinese cyber-secu­ri­ty firm also said it tracked down sev­er­al Golden Falcon mem­bers through details left in legal dig­i­tal sig­na­tures, sup­pos­ed­ly found inside the con­tracts they discovered.

Researchers said they tracked four Golden Falcon mem­bers and one organization.

Using data that was left uncen­sored in a screen­shot shared by Qihoo, we were able to track one of the group’s mem­bers to a LinkedIn pro­file belong­ing to a Moscow area-based pro­gram­mer that the Chinese firm described as “a tech­ni­cal engi­neer” for Golden Falcon.


Neither Qihoo nor Kaspersky, in its 2018 report, make any for­mal attri­bu­tion for this group. The only detail the two shared was that this was a Russian-speak­ing APT (advanced per­sis­tent threat — a tech­ni­cal term used to describe advanced, nation-state backed hack­ing units).

During research for this arti­cle, ZDNet asked a few ana­lysts for their opin­ions. The most com­mon the­o­ries we heard were that this “looks” to be

(1) a Russian APT,
(2) a Kazakh intel­li­gence agency spy­ing on its cit­i­zens,
(3) a Russian mer­ce­nary group doing on-demand spy­ing for the Kazakh gov­ern­ment — with the last two being the most com­mon answer.

However, it should be not­ed that these argu­ments are sub­jec­tive and not based on any actu­al sub­stan­tial proof.

The use of HackingTeam sur­veil­lance soft­ware, and the inquiry into buy­ing NSO Group mobile hack­ing capa­bil­i­ties does show that this could be, indeed, an autho­rized law enforce­ment agency. However, Qihoo also point­ed out that some of the targets/victims of this hack­ing cam­paign were also Chinese gov­ern­ment offi­cials in north-west China — mean­ing that if this was a Kazakh law enforce­ment agency, then they seri­ous­ly over­stepped their jurisdiction.

The Qihoo Golden Falcon report is avail­able here, in Chinese, and here, trans­lat­ed with Google Translate. The report con­tains addi­tion­al tech­ni­cal infor­ma­tion about the mal­ware used in these attacks, infor­ma­tion that we did­n’t include in our cov­er­age because it was too technical.

Original source of arti­cle: ZDNet

By Catalin Cimpanu for Zero Day | November 23, 2019 — 08:00 GMT (08:00 GMT) | Topic: Security