Chinese experts talked about cyberattacks on Kazakhstan companies and organizations
Qihoo 360 Netlab analysts presented a report describing a large-scale hacker operation aimed at Kazakhstan. Chinese experts talked about cyberattacks on Kazakhstan companies and organizations.
According to researchers, the hacker group Golden Falcon (or APT-C-34) was behind the many studied attacks.The victims of these incidents were not only private individuals, but also various companies and organizations: governmental agencies, private companies, the educational sector, as well as foreign diplomats, researchers, journalists, religious figures and government dissidents.
“The Golden Falcon group has great capabilities and resources: it can create its own hacking tools, buy available on the market spyware and also invest in equipment to intercept radio communications. So, some attacks were based on classical phishing, while others suggested physical access to target devices, for which it was necessary to use people based directly in Kazakhstan”, – say the experts.
Qihoo 360 Netlab experts believe that they discovered a previously unknown group, but according to the ZDNet publication, the Golden Falcon could probably be the DustSquad group active since 2017. Interestingly, the DustSquad attacks targeted Kazakhstan, but then the attackers used another malware.
Qihoo 360 Netlab experts explain that they were able to access one of the group’s managing servers and study its activities. So, they found the data stolen from the victims (mainly these were various documents extracted from hacked computers). All information was encrypted and placed in folders by city (each folder contained data about each infected host).
“We managed to decipher these data, and thus victims were identified in 13 largest cities of Kazakhstan and not only. It turned out that the attackers also monitored foreign citizens in the country, including Chinese foreign students and Chinese diplomats”, – report in Qihoo 360 Netlab.
Additionally, experts were able to understand what tools the group used. The two main tools turned out to be: a variation of RCS (Remote Control System) – a spy kit sold by the Italian developer HackingTeam; Harpoon backdoor Trojan seems to have been developed by the group itself.
It is emphasized that the Golden Falcon was armed with a fresh version of the RCS.
Read also: Amnesty International: Facebook and Google monitoring practices threatens human rights
Recall that the Italian HackingTeam was hacked in 2015, and the company’s tools were in the public domain. Then RCS version 9.6 leaked, but according to the researchers’ report, Golden Falcon hackers used RCS version 10.3. It may be concluded that spyware was purchased for a considerable amount of money from the supplier.
As mentioned above, Harpoon, apparently, is the group’s own development. The fact is that in other operations and incidents this malware were not noted yet.
In addition, experts found a number of contracts, apparently signed by the group. It is not specified whether these documents were found on a hacker server, or received from other sources.
“Among the documents are files related to the purchase of Pegasus mobile spyware. This is a powerful tool for hacking mobile devices on Android and iOS, created by the notorious NSO Group. The truth is unclear whether the deal eventually succeeded, since the attackers did not seem to use Pegasus in their operations”, – according to researchers at Qihoo 360 Netlab.
Another interesting feature of the Golden Falcon: researchers claim that the group was negotiating the purchase of equipment from defense contractor Yurion, which specializes in communication equipment, radio communications and the like. As with Pegasus, it is unclear whether the transaction was actually completed.
At the end of their report, analysts conclude that it is not certain to say “on behalf” of which country operates Golden Falcon. The only thing the researchers are sure is that it is Russian-speaking group.
“Using data that was left uncensored in a screenshot shared by Qihoo, we were able to track one of the group’s members to a LinkedIn profile belonging to a Moscow area-based programmer that the Chinese firm described as “a technical engineer” for Golden Falcon”, — write ZDNet journalists.