This report covers a campaign of phishing and malware which we have named “Operation Manul” and which, based on the available evidence, we believe is likely to have been carried out on behalf of the government of Kazakhstan against journalists, dissidents living in Europe, their family members, known associates, and their lawyers. Many of the targets are involved in litigation with the government of Kazakhstan in European and American courts whose substance ranges from attempts by the government of Kazakhstan to unmask the administrators behind an anonymous website that publishes leaks alleging government corruption (Kazaword) to allegations of kidnapping.
Our research suggests links between this campaign and other campaigns that have been attributed to an Indian security company called Appin Security Group. A hired actor is consistent with our findings on the Command and Control servers related to this campaign, which included web-based control panels for multiple RATs, suggesting that several campaigns were being run at once. A hired actor may also explain the generic and uninspired nature of the phishing, which often took the form of an email purporting to contain an invoice or a legal document with an attachment containing a blurry image. This talk will cover the report in detail. We will also go into detail about the often low-tech, unsophisticated attack methods which are commonly used against journalists and dissidents, and what security researchers and defenders at microsoft and elsewhere can do to stop these sorts of attacks and keep people safe from authoritarian governments.