Russia-Linked APT TAG-110: Targets Europe and Asia with Custom Malware HATVIBE and CHERRYSPY - Everything You Need to know
Russia-Linked APT TAG-110: which has been observed lately as Russia-linked cyber espionage, suspected to be a subset of APT28 (also known as Fancy Bear), targeting European government institutions, human rights, and educational institutions in Central Asia and East Asia. According to Insikt Group researchers, the group makes use of complex malware including HATVIBE and CHERRYSPY to attain unauthorized access to sensitive information.
The TAG-110 campaign uses HATVIBE, a malware loader that allows the group to deploy CHERRYSPY, a Python-based backdoor for exfiltrating encrypted data. Once inside systems, CHERRYSPY uses sophisticated encryption techniques such as RSA and AES to extract sensitive data without being detected. The initial infection vector usually comes in the form of phishing emails or exploitation of vulnerable web services, such as Rejetto HTTP File Server. This tactic mirrors previous tactics used by APT28, one of the most notorious Russian state-sponsored actors.
The TAG-110 group was noticed by CERT-UA in 2023, warning about their operations, especially targeting the Ukrainian state bodies using HATVIBE, CHERRYSPY, along with other espionage tools, including LOGPIE and STILLARCH malware. From 2024, TAG-110 has successfully targeted more than 60 victims from countries like Kazakhstan, Kyrgyzstan, and Uzbekistan, which shows its focus on Central Asia-a region crucial to Russia's geopolitical interests.
The group's cyber-espionage activities appear to support Russia’s broader military and national security strategies. By infiltrating sensitive networks, TAG-110 seeks to gather intelligence that could help shape Russia’s political maneuvers, particularly regarding post-Soviet states and Ukraine. The ongoing campaign underscores the group's sophisticated tactics, including leveraging malware to evade detection and maintain persistence on targeted systems.
Researchers believe that TAG-110 will continue its cyber-espionage campaigns, particularly focusing on regions of high geopolitical importance to Russia. Such regions include Ukraine and former Soviet states in Central Asia, where Russia is trying to make its influence felt amidst tension. Speculation about its connection to the BlueDelta group is there, but no link has been proven.
Therefore, understanding the TAG-110 and other APTs in the cyber attacks against sensitive government networks can help the organizations at-risk areas, and the reason behind doing so is crucially because of the potential damage the sophisticated cyber espionage campaign will cause if its entry point is not adequately guarded with robust cybersecurity.
Also read: Spring News Roundup: Important GA Releases in Boot, Security, Integration & More (Nov 2024)
