Kazakhstan-based hackers, believed to be the work of a group known as YoroTrooper, are actively engaged in an extensive espionage campaign against members of the Commonwealth of Independent States (CIS), according to research conducted by Cisco’s Talos group. YoroTrooper, with a focus on espionage, has been actively monitored by Cisco since its emergence in June 2022. Researchers have pointed to their use of Kazakh currency, fluency in Kazakh and Russian, and a sophisticated attempt to disguise their operations as indicators of their Kazakhstan-based origin. Their primary target has been the Kazakh government’s Anti-Corruption Agency.
YoroTrooper’s modus operandi may not be highly sophisticated, but the group has demonstrated considerable success in compromising targets in CIS countries over the past two years, thanks to their aggressive approach. Their tactics have expanded and evolved since Cisco Talos initially disclosed their activities in March 2023. They have engaged in attacks involving institutions and officials in Azerbaijan, Tajikistan, Kyrgyzstan, and Uzbekistan, employing VPN services to make it appear as though their attacks originate from Azerbaijan. The group often initiates attacks with phishing emails and deploys custom-made malware to steal data and credentials.
Researchers have observed YoroTrooper’s use of the Russian language in debugging their tools, with a recent addition of Uzbek, reflecting the languages spoken in Kazakhstan. The hackers use cryptocurrency to fund their operations and check currency conversion rates between Kazakhstani Tenge (KZT) and Bitcoin (BTC). While much of their activity is routed through Azerbaijan, the group does not speak Azerbaijani, indicating their attempts to mislead attribution. The group uses vulnerability scanners and open-source data from search engines to identify and exploit security vulnerabilities in their targets’ infrastructure.
Cisco Talos noted that YoroTrooper has adjusted its tactics and expanded its toolkit following their initial report in March 2023. The group’s targeting of government entities in these countries suggests they may be motivated by Kazakh state interests or working under the direction of the Kazakh government. The proximity of CIS countries to Europe, Central Asia, Russia, and China has likely driven the development of intelligence capabilities in cyberspace to support political, economic, and military advancements, according to cybersecurity researchers.
