EFF: Kazakhstan targeting journalists and dissidents with Operational Manul spyware campaign
Eva Halperin and Cooper Quintin of the Electronic Frontier Foundation at Black Hat
While Russia has been repeatedly accused of brazenly hacking U.S. and Ukrainian interests, the actions of its less conspicuous neighbor Kazakhstan may be flying under the radar. Cyber actors in the nation are allegedly targeting journalists and political dissidents and their families and associates through a cyberespionage campaign.
At Black Hat, two presenters from the watchdog group Electronic Frontier Foundation – Cooper Quintin, staff technologist and Eva Galperin, global policy analyst – publicly revealed the cybercampaign, dubbed Operation Manul, following an investigation that began in 2015.
According to EFF, Manul employs both phishing and malware tactics and has targeted multiple victims who are actively embroiled in international litigation with the Kazakhstani government. This includes publishers of the online newspaper Respublika, as well as Mukhtar Ablyazov, co-founder of the since-disbanded Democratic Choice of Kazakhstan party, which opposed Kazakhstan's authoritarian regime. In 2013, Ablyazov's wife and six year-old daughter were detained in Italy where they had previously fled, and were extradited back to Kazakhstan – possibly as a result of spyware that tracked their movements, EFF claims.
The malware component of the campaign actually consists of two malicious remote access trojans (RATs) – JRat (aka Jacksbot), which runs across multiple platforms, and Bandook, which operates solely on Windows.
JRat enables such capabilities as keylogging, password recovery, host webcam control, opening shells on the host, editing the host registry, and even chat "in case you want to taunt or harass your victim," said Quintin at Black Hat. It uses Java code obfuscation and anti-virtualization features to evade research analysis. Meanwhile, Bandook allows bad actors to perform screen captures; make webcam recordings; create, delete and steal files; remotely spawn shells and monitor USB devices. To avoid detection, the malware waits to download and deploy its full payload until after connecting with the command-and-control server and receiving its instructions.
The appeal of using off-the-shelf malware is that "it's cheap, its featureful, and there are fewer attributes to hang attribution on," although such programs are typically easier to detect, said Quintin.
Operation Manul's method of infection is spear-phishing emails – dating back to at least 2012 – that trick the recipient into opening a malicious file in order to view the content. The subject matter of these malicious emails typically was related to Kazakh news, in order to lure in the reader.
EFF also tied the campaign to an Indian security company called Appin Security Group, which appears to have been hired as a third party to run the phishing campaign (the emails were sent from Indian IP addresses). The EFF also believes Manul could be linked to a Switzerland-based private intelligence company that Kazakhstan allegedly hired to conduct surveillance against a high-profile dissident.