When the government of Kazakhstan was hacked–and 70 gigabytes worth of data leaked–it apparently decided to hack back.
Researchers from the Electronic Frontier Foundation (EFF) said in a presentation at last week’s Black Hat cybersecurity conference that Astana allegedly ran a phishing and malware campaign targeting journalists, dissidents, their family, and their lawyers.
The campaign, Cooper Quintin and Eva Galperin said, was discovered because it targeted EFF’s clients in an ongoing legal battle between Kazakhstan and Respublika. Respublika was an opposition newspaper that published a series of articles in early 2015 referencing files leaked in 2014 by Kazaword, which suggested, the EFF report says, that Astana had hired a Zurich-based private intelligence company, Arcanum Global Intelligence, to run a surveillance and data extraction operation against Mukhtar Ablyazov and his family.
The researchers’ report, “I Got a Letter From the Government the Other Day: Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan,” peels back the digital layers concealing a government’s campaign against its critics.
In layman’s terms: Kazakhstan hacked a dissident and was then hacked–spilling into public view that it had engaged in such a hack–and then hacked the people behind the publication that had reported on the initial hack. (Say “hack” one more time).
Of course, the details are more complex and far more serious. As one of the researchers told Reuters, “This is one of the very few campaigns where there is such a direct link between spying and physical danger.”
Mukhtar Ablyazov, currently sitting in a French jail and fighting extradition to Russia, was Kazakh Minister for Energy, Industry, and Trade in the late 1990s and in 2001 co-founded a political party opposed to President Nursultan Nazarbayev. In 2002, Ablyazov was sent to prison for “abusing official powers as a minister,” charges activists say were certainly politically motivated. His early release, in 2003, was reportedly predicated on his renouncing of politics. He moved to Moscow, but, in the eyes of Astana, did not get far enough away from politics. His funding of opposition groups and media organizations, as well as his status as a prominent opposition voice, made him a target.
Ablyazov’s family was also targeted and here is where the physical realm, the EFF researchers say, collides with cyber. By 2013, Ablyazov had fled London where he’d been granted asylum in 2011, he’d become embroiled in pending fraud charges and an arrest warrant had been issued for lying in court. In May 2013, police in Rome raided a villa and detained Ablyazov’s wife, Alma Shalabaeva, and 6-year-old daughter, Alua Ablyazova. Within three days they’d been deported forcibly, escorted on a private jet hired the Kazakh embassy, to Almaty.
Members of Ablyazov’s family filed a suit in Switzerland this year alleging that they’d been targeted with a spearphishing campaign.
The malware directed against Ablyazov’s family was the same that the EFF researchers uncovered had been unleashed against the Respublika journalists and attorneys. It’s possible, the researchers said, that such spyware was used to track the location of Ablyazov’s family. Other targets of Operation Manul have reported being followed, tracked with GPS devices, and that their offices have been broken into and their websites attacked.
The malware involved included two off-the-shelf, commercially available, remote access trojans (RATs)–JRat (Jacksbot) and Bandook. The RATs were introduced to the targeted computers using spearphishing. Spearphishing refers, in general, to emails that aren’t what they seem: what looks like a generic notice, invoice, or legal document with an attachment is little more than a disguise to gain access to the targeted system.
Using such malware, which is readily available, muddies the waters of attribution. But the majority of those targeted in Operation Manul have links to the leaked document scandal–Alexander Petrushov and Irina Petroshova, publishers of Respublika; Peter Sahlas, a human rights attorney; members of Mukhtar Ablyazov’s family; Astolfo Di Amato, an Italian attorney involved in corruption cases regarding Kazakhstan; and Bolat Atabayev, a dissident theater director. There are likely other targets but EFF only named those willing to be identified publicly. If the fates of Ablyazov’s wife and daughter are any indication, the fear of kidnapping is quite justified.
The EFF researchers implicate two companies: Arcanum, noted above, and India-based Appin Security Group. “A hired actor may also explain the generic and uninspired nature of the phishing,” the EFF report comments. Not only did the attacks directed against Ablyazov’s family and the Respublika publishers, use the same malware, but many of the emails were apparently exactly the same. This led the researchers to the conclusion that both sets of attacks are linked under Operation Manul.
“Operation Manul is not particularly sophisticated, but it is well-understood that attacks don’t need to be sophisticated in order to be effective,” the EFF report concludes.
While Quintin and Galperin’s powerpoint presented last week at Black Hat (available here) is at times flippant, a Spongebob meme with the words “Nobody Cares About Kazakhstan” makes a point the research push at the end–that although the attacks aren’t sophisticated, and Kazakhstan isn’t well-known for cyberattacks (unlike, say, Russia)–there’s significant research and attention needed.
“For activists and journalists who are being surveilled by authoritarian governments, surveillance is often just the first step in a campaign of intimidation, threats, and even direct violence.”
Kazakhstan’s pursuit of Respublika has been stymied in the U.S. court system, with a judge in California refusing a subpoena of Facebook and in New York, Judge Edgardo Ramos, ruling in late October 2015 that an injunction levied against the unnamed defendants in Kazakhstan’s case against its hackers did not apply to Respublika because Kazakhstan “does not have sufficient evidence to indicate that Respublika was in any way responsible for the alleged hacking or acted in concert with the hackers.”
Kazakhstan may be off the radar for many around the world, but the tactics being employed–using readily available malware, well-known techniques, and hireable companies–are replicable by governments around the world seeking to silence their opponents.