Kazakh Govt. Used Spyware Against Protesters

2022-06-21 12:48

An agent of the Kazakhstan government has been using enterprise-grade spyware against domestic targets, according to Lookout research published last week.

The government entity used brand impersonation to trick victims into downloading the malware, dubbed "Hermit." Hermit is an advanced, modular program developed by RCS Lab, a notorious Italian company that specializes in digital surveillance.

Four months later is when researchers discovered the latest samples of Hermit making rounds.

According to researchers, agents working on the behalf of the government send SMS messages purporting to come from OPPO, which is actually a maliciously hijacked link to the company's official Kazakh-language support page: http[://]oppo-kz[.

As Paul Shunk, security researcher at Lookout, wrote in a statement: "The combination of the targeting of Kazakh-speaking users and the location of the backend C2 server is a strong indication that the campaign is controlled by an entity in Kazakhstan." Though the Lookout researchers identified that entity as belonging to the state government, they did not attribute a particular government official or department.

As the researchers noted in their report, "The spyware also attempts to maintain data integrity of collected 'evidence' by sending a hash-based message authentication code. This allows the actors to authenticate who sent the data as well as ensure the data is unchanged." Why is this interesting? Because "Using this method for data transmission may enable the admissibility of collected evidence."

News URL

https://threatpost.com/kazakh-govt-used-spyware-against-protesters/180016/

#spyware