Pan-country cyberattack operation, unidentified actors worries Kazakhstan

• The attackers behind this campaign are dubbed as Golden Falcon (or APT-C-34), which Kaspersky suspects is another name for the DustSquad group.
• To researchers’ surprise, all the stolen information was arranged in city-wise folders and were encrypted.

A large cyberattack campaign aimed at people and groups from different segments has surfaced recently in the country of Kazakhstan. According to the report by Chinese cybersecurity vendor Qihoo 360, the attackers behind this campaign were from Golden Falcon (or APT-C-34), which Kaspersky suspects is another name for the DustSquad group.

The attack campaign readiness

The campaign appeared to be broad and well-executed. Till now, it has targeted government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike.

• Qihoo 360 experts think the attack was a work of a threat actor with considerable resources, and who had the ability to indigenously develop their own hacking tools.
• The group could buy expensive spyware off the surveillance market; the RCS instances found in the actor's possession was 10.3, a newer version.
• They were using a unique backdoor, most likely their own creation as it wasn’t used outside this operation.
• They invested in radio communications interception hardware bought from Yurion, a Moscow-based defense contractor.
• Some attacks included carefully crafted emails carrying malicious attachments (spear-phishing) sent to the hand-picked targets.
• Other tactics included attempting physical access to devices, which suggests they might have used on-the-ground operatives in the region of Kazakhstan.

How Qihoo 360 raided Golden Falcon campaign?

Golden Falcon, in previous hacking operation records which dates back to 2018, was found using spear-phishing emails, leading users to download malware-laced version of Telegram.

• The Chinese company managed to gain access to one of Golden Falcon's command and control (C&C) server which helped the team in retrieving operational data about the activity.
• It also found data retrieved from infected victims primarily involved office documents.
• To researchers’ surprise, all the stolen information was arranged in city-wise folders and were encrypted.
• The team could decrypt all the data, where they found the evidence of Golden Falcon spying on foreign nationals in the country.
• The data was from victims located in Kazakhstan’s 13 largest cities, and more.

For better clarity, ZDNet got in touch with a few analysts and asked for their opinions. According to their opinions, gather and heard were, this seems to be either a Russian APT group, Kazakh intelligence agency spying on its citizens, or a Russian mercenary group doing on-demand spying for the Kazakh government.