Cyber Espionage Unveiled Russia-Aligned TAG-110 Targets Asia and Europe

In a recent wave of cyber espionage, a Russia-aligned threat activity group known as TAG-110 has been identified as the perpetrator behind a sophisticated campaign targeting organizations across Asia and Europe. The group, which has ties to Russia, has been actively deploying custom malware tools to infiltrate government entities, human rights groups, and educational institutions, particularly in Central Asia.

The operations of TAG-110 have been closely monitored by Recorded Future's Insikt Group, who have observed a significant escalation in attacks since July 2024. The group utilizes two primary malware strains, HatVibe and CherrySpy, to compromise their targets. HatVibe, a custom HTML application (HTA) loader, is designed to deploy CherrySpy, a Python-based backdoor known for its espionage capabilities.

The campaign has significantly impacted 62 unique victims across eleven countries, with the majority being in Central Asia. Notable victims include the National Center for Human Rights of the Republic of Uzbekistan, KMG-Security (a subsidiary of Kazakh state-owned oil and gas enterprise KazMunayGas), and a Tajik educational and research institution. The group's focus has also extended to countries like Armenia, China, Greece, Hungary, India, Kyrgyzstan, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.

TAG-110's primary method of initial compromise involves the exploitation of vulnerabilities in public-facing web applications, such as Rejetto HTTP File Server, alongside phishing emails to deliver HatVibe. Once installed, HatVibe facilitates the deployment of CherrySpy, which ensures persistence through scheduled tasks, monitors activity, and exfiltrates data back to the group's command-and-control (C2) servers.

Insikt Group's analysis suggests that TAG-110's activities align with Russia's broader geopolitical strategy, particularly in gathering intelligence to support its military efforts in Ukraine and understanding regional dynamics. This campaign mirrors the strategic interests of BlueDelta (also known as APT28), a Russian sabotage group, although attribution remains moderately confident.

To defend against future attacks, organizations are urged to monitor for indicators of compromise, implement security patches promptly, and enhance network security measures. Recorded Future emphasized the need for proactive mitigation strategies to counteract the persistent threat posed by TAG-110.

This latest wave of cyber espionage underscores the ongoing cyber threats in Central Asia and Europe, where Russia seeks to maintain influence amidst geopolitical tensions. TAG-110's operations are part of a calculated strategy to destabilize NATO allies and disrupt their support for Ukraine, aligning with Russia's hybrid warfare doctrine.

As the world navigates these cyber threats, it is crucial for organizations to remain vigilant and adopt robust cybersecurity measures. The activities of TAG-110 serve as a stark reminder of the need for international cooperation in combating state-sponsored cyber espionage, particularly when it targets critical sectors of society. The implications of these attacks are far-reaching, affecting not only national security but also the broader geopolitical landscape.

Visit our website to get cybersecurity updates like this, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: