Foreign cyberspies detected in the infrastructure of state organizations
The days when spies needed to ingratiate themselves with people and find useful information on the spot offline are gone. Today they have been replaced by something that is in almost everywhere – a computer. Software and cyber weapons are able to collect data, penetrating the most inaccessible systems, coupled with knowledge and skills in information technology. Cyber intelligence and electronic espionage, which seemed like a distant future 10 years ago, have become our reality.
The identification and suppression of these high-tech types of crimes in Kazakhstan is carried out by JSC “State Technical Service” together with the National Security Committee. For example, in 2022, the activities of a hacker group that carried out cyber espionage by secretly collecting documents from the infrastructures of several state bodies and organizations were neutralized.
The cyber group conducted its activities covertly. To secure positions and steal files, launched malware disguised itself as legitimate operating system processes or other installed software signed by real developers. They did not arouse suspicion among ordinary users and even system administrators. The hackers exploited security flaws, so-called “0-day” vulnerabilities, as well as previously unknown malware for antivirus labs (APT). Information protection tools did not detect this malicious software, which allowed hackers to conduct activities unhindered.
The attackers managed to compromise the main elements of the information and communication infrastructures of state bodies and organizations, including the facts of compromising the workstations of managers. The attackers were engaged in collecting network diagrams and accounts for further advancement, because of the technical data of the infrastructure itself.
As a result of researching the hacker group activity, as well as the methods used and the collection of other information, it is assumed that group operating in the interests of a foreign state. This circumstance gave a completely different way to the identified attack and gave an understanding of the consistency of highly qualified specialists who have serious financial support for the implementation of their goals.
Cyber spies had stable communication channels with the infrastructures of the victims, in addition to which there was also a backup ones. They carried out high-tech cyber espionage, in which government organizations were unaware of the presence of an outsider in their infrastructure. Everything worked as before, anti-virus software detected only previously known malware, electronic documents on computers did not disappear, the infrastructure was stable, and there was no suspicion that some third party was stealing information circulating in the organization. Hackers were only interested in “sensitive” information, they did not steal everything.
In order to effectively respond to this incident and oust the group from the infrastructures, the JSC «STS» and the National Security Committee with help of state bodies and organizations carried out the methods of penetration of intruders and prepared the appropriate infrastructure.
These actions required significant efforts, since serious shortcomings in the organization of protection. Based on the available information about the presence of intruders in the infrastructures of the “victims”, drastic measures were required for a high-quality cleansing. In agreement with the first heads of state bodies and organizations, large-scale events were carried out, as a result of which it was possible to localize the presence of hacker activity in domestic networks as much as possible. To exclude the functioning of backup channels for collecting information, the JSC «STS» and the National Security Committee carried out the second stage of activities, during which any suspicious activity was perceived through the prism of zero trust and carefully checked, and further cleansing activities were carried out, but more precisely.
Attempts to return to the infrastructure were recorded daily, the group used different attack methods: phishing emails, searching for vulnerabilities, and various network attacks. The accumulated experience and well-coordinated work with victim organizations made it possible to prevent re-compromising. This confrontation continues to this day, experts are constantly monitoring information security events.
The development of digitalization over the past decade has affected all sectors of the country. But, unfortunately, not enough attention was paid to information security issues, which resulted in numerous leaks of confidential information.
The measures taken allowed the JSC «STS» to acquire unique experience and a certain amount of information on indicators of compromise. In the future, it is planned to use these practical skills in identifying and suppressing such threats in other organizations of the country.
Espionage has moved from a physical to a digital dimension, however in the absence of the proper level of security, it is almost impossible to prevent an attack or identify an intruder in your infrastructure. Hackers can steal information for years and their activities will be invisible. At the same time, it must be taken into account that the stolen information will work “against us” and may lead to irreversible consequences.