Golden Falcon (APT-C-34): The threat actor group known as Golden Falcon or DustSquad, which has been known to target people and groups from different parts of the world has resurfaced in Kazakhstan, a country located between China and Russia. Chinese cybersecurity company Qihoo 360 released a report about the campaign detailing how the group has focused on targeting government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, education, religious figures and government employees within Kazakhstan. Researchers at Qihoo 360 managed to gain access to one of the command and control servers that were used by the group and worked backward from there. To the researchers’ surprise, the stolen data was kept in encrypted files organized geographically by the names of cities in Kazakhstan. The researchers managed to decrypt the files and found that the archives contained mostly office documents. It was found that the group was using spyware that was likely available as a commodity item, as well as a custom backdoor to monitor and keep track of foreign nationals within the country’s 13 biggest cities. The backdoor has only been seen in this campaign up to this point, so it is possible that it was custom-made by the Golden Falcon group.
Golden Falcon or DustSquad has been tracked since 2017 by Kaspersky and is a Russian-speaking threat actor group that has a heavy focus on Asia. The group is known for carrying out cyber-espionage campaigns; this is a likely scenario for the reported intrusions in Kazakhstan. Kazakhstan is a small country, but contains 3% of the world’s oil reserves, making it one of the top 15 countries in terms of oil reserves. Attacks like these should come as no surprise for the country due to its strategic importance. After looking into more details, some researchers also speculated that this could be the Kazakhstan government spying on foreign nationals themselves, a Russian actor for hire working on behalf of Kazakhstan to spy on these individuals, or the Russian APT working for themselves. More details from researchers can be found here: https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/