Threat actors with ties to Russia have been identified as the culprits behind a cyber espionage campaign targeting entities in Central Asia, East Asia, and Europe.
TAG-110 and Overlaps with APT28
The activity, attributed to a group named TAG-110 by Recorded Future’s Insikt Group, is believed to overlap with Ukraine's CERT-UA tracked group UAC-0063 and the widely recognized APT28 (Fancy Bear). Active since at least 2021, TAG-110 focuses on gathering intelligence from government bodies, human rights organizations, and educational institutions.
Malware Arsenal: HATVIBE and CHERRYSPY
The group employs custom malware tools, HATVIBE and CHERRYSPY, to execute its campaigns:
- HATVIBE: Functions as a loader to deploy additional payloads.
- CHERRYSPY: A Python-based backdoor designed for data exfiltration and espionage.
These tools were first documented by CERT-UA in May 2023 during attacks on Ukrainian state agencies and have since reappeared in scientific institutions and other targets across multiple countries.
Targeted Regions and Victim Profile
TAG-110 has been linked to at least 62 unique victims in 11 countries, with a primary focus on Central Asia, including Tajikistan, Kyrgyzstan, Kazakhstan, Turkmenistan, and Uzbekistan. Smaller-scale attacks have also been recorded in Armenia, China, Hungary, India, Greece, and Ukraine.
The campaign’s targets suggest an effort to collect intelligence that supports Russia's geopolitical goals, particularly in post-Soviet states where maintaining influence is critical amid strained regional relations.
Attack Methods
TAG-110 employs:
- Exploitation of Vulnerabilities: Using flaws in public-facing web applications like Rejetto HTTP File Server.
- Phishing Campaigns: As an initial access vector to deploy HATVIBE, which loads the CHERRYSPY backdoor.
Broader Geopolitical Context
The TAG-110 operations align with Russia's broader hybrid warfare strategy, encompassing both cyber and physical sabotage operations:
- Central Asia: Intelligence collection to bolster geopolitical objectives.
- Europe: Disruption of NATO allies and their support for Ukraine through attacks on critical infrastructure in countries like Estonia, Finland, Latvia, Lithuania, Norway, and Poland.
These efforts aim to destabilize political alliances, weaken military capabilities, and influence geopolitical developments without escalating to full-scale war, adhering to Russia’s Gerasimov doctrine of hybrid warfare.
Persistent Threat
As tensions between Russia and Western nations remain high, experts predict an increase in the destructiveness of Russian sabotage and cyber operations. Recorded Future notes these campaigns are calculated to undermine NATO without crossing the threshold of overt war.
