Several government agencies have reportedly been targeted by a group of threat actors linked to Russia. The group has been tagged as TAG-110. The activities of the group and its traces match with another threat actor group identified as UAC-0063, which was tracked by the Computer Emergency Response Team of Ukraine (CERT-UA).
The group TAG-110 aims to hunt government organizations and educational institutions of their target countries using their customized malware tool HATVIBE, which acts as a loader for the python-based backdoor known as CHERRYSPY. Once the target is successfully compromised, the threat actors exfiltrate data, which can be used by the agencies for espionage.
The group was first identified by CERT-UA in May 2023 when several government agencies were targeted in Ukraine. The duo has again been active and was observed to have attacked a research agency. The campaign is not restricted to Ukraine only; it has targeted Central Asian countries and Europe.
The group seems to be gathering strategic information from several countries, given their geolocation. The list includes names like Kyrgyzstan, Turkmenistan, Uzbekistan, India, Greece, Germany, China etc. The group has been traced in eleven countries with more than 63 unique victims.
The hacker group approaches their victims by exploiting security flaws in public-facing websites or through a phishing attack with an attachment to drop HACKVIBE onto the target system which then further loads CHERRYSPY for data exfiltration and espionage. The group activities seem to be backed by the Russian government to keep an eye on the location of its interest as these countries hold significance to Russia in the current conditions of being involved in war with Ukraine. There has also been an increase in cyber attacks on NATO countries like Finland, Estonia, Poland, etc., from Russian threat actors/groups with the aim to destabilize and weaken them and earn an edge over the Ukraine situation.
The countries have been maintaining higher levels of security both on the ground and digitally as the war is ongoing on both fronts, and the situation may deteriorate further if there is no de-escalation.
