In the wake of a protest movement which swept Kazakhstan in January, the Kazakh government deployed a spyware to surveil activists, a cybersecurity research group found.
The program, dubbed Hermit, is functionally similar to the Israeli-made Pegasus program. (Photo: Piqusels, License)
WRITTEN BY DAVID KLEIN
The program, dubbed ‘Hermit’ by the Lookout Threat Lab, is functionally similar to the Israeli-made Pegasus spyware, though it is believed to have been designed by the Italian group, RCS labs.
The sample detected is designed specifically for Android devices, though Lookout believes that an IOS version also exists.
“Named after a distinct server path used by the attacker’s command and control (C2), Hermit is a modular surveillanceware that hides its malicious capabilities in packages downloaded after it’s deployed,” Lookout said in their report.
The January protests in Kazakhstan were triggered by the rise of fuel prices and have quickly turned violent. The focus of the people’s anger was former President Nursultan Nazarbayev, 81, who ruled the former Soviet country since its independence in 1991.
His family is believed to control much of the country’s economy. Nazarbayev resigned in 2019 and handpicked his successor but remained until January in power behind the scene.
Kazakhstan isn’t the only country the spyware had been deployed to. The lab also found evidence of its use in Rojava, the Kurdish majority region of Northern Syria which has been under siege by both the Turkish military and the Syrian government of Bashar Al-Assad.
“Prior to detecting the Kazakhstan samples, we found a reference to “Rojava,” a Kurdish-speaking region in northeastern Syria, in the passive DNS records of Hermit,” Lookout said. “The domain we found (rojavanetwork[.]info) specifically imitates “Rojava Network,” a social media brand on Facebook and Twitter that provides news coverage and political analysis of the region, often in support of SDF operations.” SDF stands for Syrian Democratic Forces.
The software has also been deployed in its home country of Italy, the Italian parliament revealed in 2021.
“Italian authorities potentially misused it in an anti-corruption operation,” the report said.
In Addition to Kazakhstan and Syria, RCS lab also has ties with Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan.
Turkmenistan is considered one of the world’s most repressive states and Myanmar has been accused of engaging in genocide against their Rohingya minority since at least 2016.
The sample detected is designed specifically for Android devices, though Lookout believes that an IOS version also exists.
“Named after a distinct server path used by the attacker’s command and control (C2), Hermit is a modular surveillanceware that hides its malicious capabilities in packages downloaded after it’s deployed,” Lookout said in their report.
The January protests in Kazakhstan were triggered by the rise of fuel prices and have quickly turned violent. The focus of the people’s anger was former President Nursultan Nazarbayev, 81, who ruled the former Soviet country since its independence in 1991.
His family is believed to control much of the country’s economy. Nazarbayev resigned in 2019 and handpicked his successor but remained until January in power behind the scene.
Kazakhstan isn’t the only country the spyware had been deployed to. The lab also found evidence of its use in Rojava, the Kurdish majority region of Northern Syria which has been under siege by both the Turkish military and the Syrian government of Bashar Al-Assad.
“Prior to detecting the Kazakhstan samples, we found a reference to “Rojava,” a Kurdish-speaking region in northeastern Syria, in the passive DNS records of Hermit,” Lookout said. “The domain we found (rojavanetwork[.]info) specifically imitates “Rojava Network,” a social media brand on Facebook and Twitter that provides news coverage and political analysis of the region, often in support of SDF operations.” SDF stands for Syrian Democratic Forces.
The software has also been deployed in its home country of Italy, the Italian parliament revealed in 2021.
“Italian authorities potentially misused it in an anti-corruption operation,” the report said.
In Addition to Kazakhstan and Syria, RCS lab also has ties with Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan.
Turkmenistan is considered one of the world’s most repressive states and Myanmar has been accused of engaging in genocide against their Rohingya minority since at least 2016.
Published: 23 June 2022
https://www.occrp.org/
No comments:
Post a Comment