Summary

Insikt Group has identified an ongoing cyber-espionage campaign conducted by TAG-110, a Russia-aligned threat group targeting organizations in Central Asia, East Asia, and Europe. Using custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily attacks government entities, human rights groups, and educational institutions. The campaigns tactics align with the historical activities of UAC-0063, attributed to Russian APT group BlueDelta (APT28). HATVIBE functions as a loader to deploy CHERRYSPY, a Python backdoor used for data exfiltration and espionage. Initial access is often achieved through phishing emails or exploiting vulnerable web-facing services like Rejetto HTTP File Server.

TAG-110s efforts are likely part of a broader Russian strategy to gather intelligence on geopolitical developments and maintain influence in post-Soviet states. Insikt Group provides actionable insights, including indicators of compromise and Snort and YARA rules, to help organizations.

---

Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY

Advanced persistent threat (APT) groups aligned with nation-states continue to execute sophisticated campaigns to fulfill strategic objectives. Insikt Group recently identified a Russia-aligned cyber-espionage campaign conducted by TAG-110 targeting organizations across Central Asia, East Asia, and Europe. This group deploys custom malware, including HATVIBE and CHERRYSPY, to conduct operations aligned with Russian geopolitical interests.

Key Findings

• TAG-110 Overview: A threat group overlapping with UAC-0063, TAG-110 is linked to the Russian APT group BlueDelta (APT28) with moderate confidence.
• Targets: Governments, human rights groups, and educational institutions in Central Asia and neighboring regions.
• Malware Used: HATVIBE, a custom HTML application loader, and CHERRYSPY, a Python-based backdoor, are central to the campaign.
• Scale of Impact: Since July 2024, 62 victims across eleven countries have been identified, with notable incidents in Kazakhstan, Kyrgyzstan, and Uzbekistan.

HATVIBE

HATVIBE serves as a loader for deploying additional malware like CHERRYSPY. Delivered via malicious email attachments or exploited web-facing vulnerabilities, it achieves persistence through scheduled tasks executed by the mshta.exe utility.

HATVIBEs obfuscation techniques include VBScript encoding and XOR encryption. Once deployed, it communicates with command-and-control (C2) servers using HTTP PUT requests, providing critical system details.

CHERRYSPY

CHERRYSPY, a Python-based backdoor, complements HATVIBE by enabling secure data exfiltration. It uses robust encryption methods, including RSA and Advanced Encryption Standard (AES), to establish communication with its C2 servers. TAG-110 uses CHERRYSPY to monitor victims systems and extract sensitive information, often targeting government and research entities.

Campaign Objectives

TAG-110s activities align with Russias geopolitical objectives, particularly in Central Asia, where Moscow seeks to maintain influence amid strained relations. Intelligence gathered through these campaigns likely aids in bolstering Russias military efforts and understanding regional dynamics.

Mitigation Strategies

To defend against TAG-110 and similar threats, organizations should:

1. Monitor for Indicators of Compromise (IoCs): Use intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and network defense tools to detect malicious domains and IPs associated with TAG-110.
2. Deploy Detection Rules: Leverage Snort, Suricata, and YARA rules for identifying HATVIBE and CHERRYSPY-related activities.
3. Patch Vulnerabilities: Ensure timely updates of software to prevent exploitation of known vulnerabilities like CVE-2024-23692.
4. Enhance Threat Awareness: Train employees to recognize phishing attempts and enforce multi-factor authentication.
5. Leverage Intelligence Tools: Use Recorded Futures solutions for digital risk protection, credential monitoring, and real-time threat intelligence.

Outlook

TAG-110 is expected to continue its cyber-espionage campaigns, focusing on post-Soviet Central Asian states, Ukraine, and Ukraines allies. These regions are significant to Moscow due to strained relations following Russia’s invasion of Ukraine. While TAG-110s ties to BlueDelta remain unconfirmed, its activities align with BlueDeltas strategic interests in national security, military operations, and geopolitical influence.

To read the entire analysis, click here to download the report as a PDF.