Bitdefender warns of cyber campaign in Central Asia, Europe

Bitdefender Labs has issued a warning regarding a cyber-espionage campaign targeting organisations in Central Asia and Europe.

The group, identified as UAC-0063, utilises sophisticated strategies to access high-value targets, including government and diplomatic entities, extending their operations into Europe.

The geopolitical context in Central Asia has shifted since the Ukraine conflict began, affecting relationships in the region with Russia and China. Russia's previously dominant influence has waned, casting doubt on its role as a regional security guarantor. Some Central Asian nations are reportedly uneasy about Russia's respect for their sovereignty due to its actions in Ukraine.

Conversely, China is increasing its influence in Central Asia, especially through economic engagements, stressing infrastructure and trade via the Belt and Road Initiative (BRI), unlike Russia's historical reliance on military alliances. Though both countries share interests in combating extremism, their relationship in Central Asia is nuanced by competition and limited cooperation, exacerbated by the lack of a strong US presence in the region.

The complexities in the geopolitical landscape have created opportunities for cyberespionage, with UAC-0063 taking advantage to infiltrate government institutions and extract sensitive data. Bitdefender Labs and CERT-UA have developed a more profound understanding of this threat actor's tactics, documenting their expansion into targeting embassies in nations including Germany, the UK, the Netherlands, Romania, and Georgia.

UAC-0063 has been identified as potentially linked to the Russian group APT28, albeit with moderate confidence due to limited concrete technical evidence. "There is a moderate confidence assessment by CERT-UA that UAC-0063 is linked to the Russian cyber-espionage group APT28 (BlueDelta). However, the specific basis for this assessment remains unclear," Bitdefender Labs pointed out, acknowledging overlapping interests but not confirmed attribution.

Initial access points for UAC-0063 include exploiting previously compromised shared documents, specifically Microsoft Word files, into which they embed the HATVIBE malware. "This exemplifies a common, yet often underestimated, form of supply chain attack," Bitdefender Labs noted. These documents originate from sites such as Kazakh embassies, with the group employing social engineering to prompt the execution of malicious macros by the user.

The group employs tools like PyPlunderPlug and DownExPyer for data theft and maintains infrastructure actively, suggesting ongoing operations.

Bitdefender highlights the delivery of malicious payloads through documents uploaded from Kazakhstan as part of a broader campaign continued into European countries.

Bitdefender emphasizes the significance of a multi-layered defence system to counter such sophisticated threats. "Prevention, protection, detection, and response are critical to mitigating risks from sophisticated attackers like UAC-0063," Bitdefender Labs urged, highlighting the importance of threat intelligence and vigilant security operations to identify and respond to potential compromises.

The operational sophistication of UAC-0063, along with their continuous targeting of government entities primarily in strategic regions, underscores the group's capability in intelligence gathering, aligning with possible Russian strategic interests, yet concrete attribution remains unresolved.