Chinese cyber-security vendor Qihoo 360 has published a report detailing an extensive hacking operation aimed at victims in Kazakhstan. The target list included individuals and organizations operating in various sectors, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the education sector, religious figures, government dissidents and foreign diplomats alike.
According to Qihoo 360, the campaign was extensive and appears to be organized by threat actor with considerable resources - the one who had the ability to develop its own hacking tools, buy expensive spyware in the surveillance market, and even invest in radio communications interception hardware. The researchers said that some of the attacks were carried out using tailored emails with malicious attachments, while others involved obtaining physical access to the target devices, suggesting the use of field operatives deployed in Kazakhstan.
The treat actor behind the campaign was identified as Golden Falcon (or APT-C-34), which the researchers said is a new player on the cyber-espionage scene. But, according to Kaspersky, Golden Falcon is actually appears to be another name for DustSquad (or Nomadic Octopus) - the Russian-speaking cyber espionage group that has been active since 2017 and has been known to deploy spear-phishing emails leading to malicious version of Telegram.
Qihoo's research team has been able to gain access to one of Golden Falcon's command and control (C&C) servers and retrieve some operational data. The obtained information mainly included office documents, stolen from hacked computers.
All harvested information was organized in folders by city, with each folder containing data from each infected host. The data was encrypted, but the researchers managed to decrypt it.
Overall, the researchers found data from targets located 13 largest cities in Kazakhstan. Additionally, they have found evidence that Golden Falcon was also spying on foreign citizens in the country, such as Chinese international students and Chinese diplomats.
The stored on the C&C server files also shed some light on what types of hacking tools this group was using. Two tools stood out. The first was a version of RCS (Remote Control System) sold by the Italian provider HackingTeam. The second was a backdoor malware called Harpoon (Гарпун in the Russian language) that appears to be a custom backdoor developed by the group. The backdoor has an impressive set of information gathering functions, including screen timing screenshots, recording, clipboard recording, keylogger, and specific suffix file stealing.
The researchers said they have found additional files, such as contracts, allegedly signed by the group. It should be mentioned, that Qihoo didn’t reveal where exactly these contracts were found - in the contents of C&C server or retrieved from other sources.
Nevertheless, discovered contracts show the group’s interest on procurement of a mobile surveillance toolkit known as Pegasus (both Android and iOS versions) developed by NSO Group. However, it is unclear, if the deal was ever completed, as Qihoo didn't find any evidence of NSO's Pegasus beyond the contract.