Suspected Russia-Nexus Threat Actor Targets Diplomatic Entities in Kazakhstan

A suspected Russia-nexus threat actor, identified as UAC-0063, has been conducting convincing spear phishing attacks against diplomatic entities in Kazakhstan. This threat actor was first documented by Ukraine’s Computer Emergency Response Team (CERT-UA) in 2023, with medium confidence tied to APT28 (also known as Fancy Bear, Forest Blizzard, Strontium, and Sofacy), a group affiliated with the General Staff Main Intelligence Directorate (GRU) Military Unit 26165.

Background on APT28

APT28 is notorious for its high-profile attacks against Western governments, including exploiting unpatched Cisco routers to hack into US and EU government agencies. This group’s involvement in the spear phishing campaign against Kazakhstan’s diplomatic entities suggests a strategic interest in gathering intelligence on the country’s relationships with European states.

Threat Actor UAC-0063

UAC-0063, active since at least 2021, has been linked to APT28 by CERT-UA. The threat actor’s tactics, including spear phishing, are consistent with the group’s known methods. The campaign’s focus on diplomatic entities in Kazakhstan may be aimed at gathering information on the country’s strategic interests and relationships with European states.

Context and Implications

According to Arquillière, the execution of this kind of cyber espionage by Russian intelligence is "really coherent" with their goals. This suggests that the threat actor’s actions are likely part of a broader effort to gather intelligence on Kazakhstan’s relationships with European states. The implications of this campaign are significant, as they may provide insight into Russia’s strategic interests and potential vulnerabilities in the region.