Main / Response to computer incidents

Response to computer incidents

The Computer Incident Response Service (hereinafter referred to as KZ-CERT) is a single center for users of national information systems and the Internet segment, which provides collection and analysis of information on computer incidents, advisory and technical support to users in preventing computer security threats.

The main task of KZ-CERT is to reduce the level of information security threats for users of the Kazakhstan segment of the Internet. In this regard, KZ-CERT assists Kazakhstani and foreign legal entities and individuals in identifying, preventing and suppressing illegal activities related to the network resources of the Kazakhstan segment of the Internet.

KZ-CERT collects, stores and processes statistical data related to the spread of malware and network attacks on the territory of the Republic of Kazakhstan. The competence of the service includes the processing of the following computer incidents in order to identify and neutralize them:

• attacks on network infrastructure nodes and server resources in order to disrupt their performance (DoS (Denial of Service) and DDoS) and information confidentiality;

• unauthorized access to information resources;

• distribution of malicious software, unsolicited correspondence (spam);

• scanning of national information networks and hosts;

• selection and capture of passwords and other authentication information;

hacking information network protection systems, including the introduction of malicious programs (sniffer, rootkit, keylogger, etc.).

KZ-CERT is not responsible for possible errors, damages and other types of direct or indirect losses that occurred through the fault of users as a result of misinterpretation of information received from KZ-CERT.

Acting within the framework of the regulatory legal framework of the Republic of Kazakhstan, KZ-CERT is not authorized to deal with issues that are under the jurisdiction of law enforcement agencies.

KZ-CERT carries out:

• monitoring and identification of mechanisms and Internet resources that violate the laws of the Republic of Kazakhstan;

• development of recommendations for users to protect the interests of the individual, society and the state in the information sphere;

• provision of advisory services on information security issues;

• prompt reception of messages about hacker attacks.

KZ-CERT deals with:

• coordination of actions of computer security departments of state bodies, telecom operators, as well as other subjects of the national information infrastructure on the prevention of offenses in the field of the use of computer and information technologies;

• collection, analysis and accumulation of information on modern threats to computer security and on the effectiveness of the protection measures used.


Phone: (7172) 55-99-97

Call center: 1400                          


Frequently asked questions

Why is a foreign Internet resource blocked/inaccessible?

If you have faced the problem of unavailability of an Internet resource, it is most likely that the Internet resource contains forms for collecting personal data or malware. Therefore, you should contact a competent authority.

What to do if your card has been charged:

  • block the card;
  • contact the bank’s technical support;
  • apply to the Ministry of Internal Affairs of the Republic of Kazakhstan.

What to do if you received a call from fraudsters/ SMS from the bank reply:

  • Не передавайте свои данные недоверенным лицам;
  • contact the bank’s technical support;
  • apply with a claim to the Ministry of Internal Affairs of the Republic of Kazakhstan.

The activity of my .kz site is suspended

  • Contact KAZnic (
  • Contact the competent authority in the field of information security Ministry of Digital Development, Innovations and Aerospace Industry of the Rpublic of Kazakhstan (

If malicious activity/compromising data/hacking and content modification/phishing forms/Botnet was detected on your Internet resource or information system.

  • Fill out an application under “report the incident” by the link
  • Contact the hotline “1400”

How a DDoS attack works

Network resources, such as web servers, have limits on the number of requests they can serve at a time. In addition to the allowable load on the server, there are also limits on the bandwidth that connects the server to the Internet. When the number of requests exceeds the performance of any infrastructure component, the following can happen:

  • Denial of service for all or part of user requests.
  • As a rule, the cybercriminal’s ultimate goal is to completely shut down the web resource – “denial of service”. An attacker can also demand money for stopping the attack. In some cases, a DDoS attack may be an attempt to discredit or destroy a competitor’s business.

For what purposes are DDoS attacks used?

As a rule, the ultimate goal of an attacker is a complete shutdown of a web resource – a “denial of service”. An attacker may demand money for stopping the attack, and in some cases a DDoS attack may be an attempt to discredit or destroy a competitor’s business.
An example: The St. Valentine’s Day is coming up and flower vendors are in great demand. An ambitious entrepreneur opens an online flower shop with the following features: beautiful design, good variety of products, fast delivery and a solid budget for advertising. The only problem is very strong competitors who have been on the market for some time and who will take a significant share of the market. The thing that a small entrepreneur can risk taking responsibility for all the negative consequences is to attack competing websites and disable them for a few days or at least hours.

Who’s involved in the DDoS attack?

Suppose that the owner of a new online flower shop found a potential “hacker” to carry out the attack, using their personal connections. They set a price for their services, which also depends on the complexity of the attack. In fact, the “bad guy” has a database of infected PCs around the world, whose users unconsciously using various suspicious links, running unknown files or installing malicious programs. All these viruses only become known when the bad guy activates and controls the infected computers. Such a network is called a botnet.

How do I determine if my device is part of a botnet?

Usually a bot in a botnet is a device with malware that allows an attacker to perform certain actions using the resources of an infected computer. The following factors may indicate that your personal computer is part of a botnet:

  • На компьютере появляются неожиданные сообщения, изображения или звуковые сигналы;
  • Ваш персональный компьютер сильно греется или шумит, хотя вы не запускали «тяжелые» приложения. Возможно, ресурсы вашего компьютера на исходе, проверить можно в Диспетчере задач, во вкладке «производительность»:
  • Programs can run or connect to the Internet without your participation;
  • Applications are not running;
  • Messages that you didn’t send come to your friends via email or messenger;
  • The computer is running slowly or freezes frequently;
  • Files and folders may disappear or their contents may change;
  • A lot of system error messages pop up;
  • The browser freezes or behaves in an unexpected way. For example, you can’t close a tab;

I have no antivirus software installed on my workstation, does it make sense to install licensed antivirus software?

The trend of cyber threats and the increase in the number of malware and bots in botnets suggests that without antivirus software, your device is at risk.

Why do vulnerabilities appear on an Internet resource?

  • Because of incorrectly written web application code;
  • Lack of updates of the software and operating systems used;
  • Disadvantages of password policy;
  • Incorrect configuration of the web server;
  • Uncontrolled increase in the number of services available from the Internet.

On which Internet resources is it not recommended to enter bank data?

On Internet resources, the legitimacy of which you are not sure. In addition, pay attention to the presence of encryption of the transmitted data on the site. The presence of encryption can be understood by the closed lock on the left side of the address bar or “https://” instead of “http://” before the domain name of the site.