The Cyberthreat Is Within the Commonwealth
Researchers at Cisco Talos believe that a new cyberthreat actor dubbed YoroTrooper may be operating out of Kazakhstan to pursue attacks against other countries from the former Soviet Union.
Is Kazakhstan home to a team of hackers targeting Commonwealth of Independent States (CIS) countries and attempting to disguise themselves as Azerbaijani? That’s what researchers at Cisco Talos Intelligence Group, part of Cisco Systems, believe to be the case.
Earlier in 2023, Cisco Talos identified a new threat actor that was targeting government, energy, and international organizations largely in the former Soviet Union, with cyberespionage campaigns employing a range of malware tools. Since at least June 2022, the group, which Cisco Talos named YoroTrooper, has been staging attacks with espionage appearing to be the main motivation.
As Cisco Talos explained in a March 2023 report, “Espionage is the main motivation for this threat actor, according to the tactics, techniques and procedures (TTPs) we have analyzed. To trick their victims, the threat actor either registers malicious domains and then generates subdomains or registers typo-squatted domains similar to legitimate domains from CIS entities to host malicious artifacts.”
For example, akipress[.]com is a legitimate Kyrgyzstan-based press agency. YoroTrooper allegedly established a subdomain at akipress[.]news, which a user might access not realizing it is not the legitimate website they sought. Another example: mail[.]mfa[.]az is the legitimate email domain for the Azerbaijani Ministry of Foreign Affairs – the hackers established mail[.]mfa[.]az-link[.]email in its place.
Using these malicious domains, YoroTrooper then engaged targets with phishing emails, which enable it to steal credentials and gain access to institutional systems.
In March, Cisco Talos reported that “YoroTrooper successfully obtained access to credentials of at least one account from a critical EU health care agency’s internet-exposed system and another from the World Intellectual Property Organization (WIPO).” The group also compromised “embassies belonging to Turkmenistan and Azerbaijan, where the operators attempted to exfiltrate documents of interest and deploy additional malware.”
In October, Cisco Talos issued an updated report, suggesting that while attempting to masquerade as Azerbaijani, the hacker group may actually be based in Kazakhstan.
“We observed that most of YoroTrooper’s operations are routed via Azerbaijan, though notably, the threat actor does not appear to speak the Azerbaijani language,” Cisco Talos’ researchers noted in the report. “Intelligence obtained by Talos indicates the adversary regularly translates information from Azerbaijani to Russian, the second official language in Kazakhstan,” using Google Translate. The attackers also appear to speak Kazakh, in addition to Russian and also Uzbek.
A more significant clue suggesting a strong tie to Kazakhstan is that YoroTrooper, while primarily using cryptocurrency to pay for operating infrastructure, “regularly checks for currency conversion rates between Kazakhstani Tenge (KZT), Kazakhstan’s official currency and Bitcoin (BTC) on Google.”
Another attribution clue rests in what the hackers appear to be protecting, rather than what they are attacking. Cisco Talos reported that “YoroTrooper has a special defensive interest in repeatedly evaluating the security posture of the website of the Kazakhstani state-owned email service, mail[.]kz.”
Furthermore, the only Kazakh entity targeted by the hackers appears to have been the country’s Anti-Corruption Agency.
One attack outlined in detail by Cisco Talos involves the compromising of a Tajik national with apparent government connections. “Although we could not determine the identity of the victim, Talos assesses that the victim is associated with the Tajik government, based on the nature of the data that YoroTrooper exfiltrated from them, which amounted to 165MB of documents. Many of these documents consisted of government certificates and affidavits, appearing to belong to someone who has visibility into government personnel management and welfare,” the researchers said.
Others entities targeting in Central Asia include Tajikistan’s Chamber of Commerce and Industry, the country’s Drug Control Agency, and Kyrgyzstan's state-owned coal enterprise – all compromised between May and July 2023. In August 2023, the researchers say YoroTrooper “successfully compromised a high-ranking official from the Uzbek Ministry of Energy.”
One issue embedded here is the rapid rise in internet access across Central Asia in the last quarter-century.
For example, in 2000, Kazakhstan – which then had a population just shy of 15 million – had an estimated 100,000 internet users. For comparison, that same year Uzbekistan, with a population then of around 24.5 million, had an estimated 118,000 internet users. By 2010, Kazakhstan and Uzbekistan each had around 5 million internet users (Uzbekistan’s population at the time was around 27 million and Kazakhstan’s about 16 million.) As of 2023, nearly all Kazakhs have internet access – the country’s internet penetration rate stands at 90.9 percent. Uzbekistan remains behind, but its internet penetration rate in 2023 is estimated to be 76.6 percent – meaning 26.74 million Uzbeks have internet access now.
But these great leaps in access and usage of the internet have not necessarily come with great education about the risks of phishing or robust government cybersecurity operations to counter these sorts of attacks.
As detailed as the Cisco Talos report is regarding the technical aspects of how YoroTrooper is operating and which entities it has targeted, the cyber intelligence leaves ultimate attribution and motivation open for interpretation. While Cisco Talos interprets the targets and methods as suggesting an espionage angle, to what end is a question that is, at this juncture, unanswerable.