Journalists and political activists critical of Kazakhstan’s authoritarian government, along with their family members, lawyers, and associates, have been targets of an online phishing and malware campaign we believe was carried out on behalf of the government of Kazakhstan. We are releasing our report on the campaign today.
This report covers a campaign we have named “Operation Manul” and which, based on the available evidence described in the report, we believe is likely to have been carried out on behalf of the government of Kazakhstan against journalists, dissidents living in Europe, their family members, known associates, and their lawyers. Many of the targets are involved in litigation with the government of Kazakhstan in European and American courts, litigation whose substance ranges from attempts by the government of Kazakhstan to unmask the administrators behind an anonymous website that publishes leaks alleging government corruption (Kazaword), to allegations of kidnapping.
The full text and technical details about the report are available here: Operation Manul report.
Our research suggests links between this campaign and other campaigns that have been attributed to an Indian security company called Appin Security Group. A hired actor is consistent with our findings on the Command and Control servers related to this campaign, which included web-based control panels for multiple RATs, suggesting that several campaigns were being run at once. A hired actor may also explain the generic and uninspired nature of the phishing, which often took the form of an email purporting to contain an invoice or a legal document with an attachment containing a blurry image. An investigation by the Swiss federal police of some of the emails linked to Operation Manul concludes that they were sent from IP addresses in India, which is also consistent with a link to Appin.
Hundreds of leaked emails published on the Kazaword website also suggest possible links between this campaign and Arcanum Global Intelligence, a private intelligence company with headquarters in Zurich, which was allegedly hired by the government of Kazakhstan to perform a surveillance and data extraction operation against a high-profile dissident. It was Respublika’s reporting on these connections which led the government of Kazakhstan to request an injunction in a New York court to bar the website from publishing the “stolen” emails.