An agent of the Kazakhstan government has been using enterprise-grade spyware against domestic targets, according to Lookout research published last week.
The government entity used brand impersonation to trick victims into downloading the malware, dubbed “Hermit.” Hermit is an advanced, modular program developed by RCS Lab, a notorious Italian company that specializes in digital surveillance. It has the power to do all kinds of spying on a target’s phone – not just collect data, but also record and make calls.
The timing of this spying operation holds extra significance. In the first week of 2022, anti-government protests were met with violent crackdowns across Kazakhstan. 227 people died in all, and nearly 10,000 were arrested. Four months later is when researchers discovered the latest samples of Hermit making rounds.
The Intrusion
How do you get a target to download their own spyware?
In this campaign, the perpetrators use OPPO – Guangdong Oppo Mobile Telecommunications Corp., Ltd – a Chinese mobile and electronics manufacturer – as its ploy to earn trust among targets. According to researchers, agents working on the behalf of the government send SMS messages purporting to come from OPPO, which is actually a maliciously hijacked link to the company’s official Kazakh-language support page: http[://]oppo-kz[.]custhelp[.]com. (At the time of the report’s publication, that support page had gone offline.) In some instances, the attackers also impersonate Samsung and Vivo, according to Lookout.
The intrusion requires the victim to open the SMS message and click the link to the hijacked page. While it’s loaded, the malware downloads simultaneously in the background of the target machine, then connects to a C2 server hosted by a small service provider in Nur-Sultan, the capital of the country.
As Paul Shunk, security researcher at Lookout, wrote in a statement: “The combination of the targeting of Kazakh-speaking users and the location of the backend C2 server is a strong indication that the campaign is controlled by an entity in Kazakhstan.” Though the Lookout researchers identified that entity as belonging to the state government, they did not attribute a particular government official or department.
The Malware
Hermit isn’t just sophisticated, it’s wholly customizable.
It’s built modularly, meaning that its owners can use or ignore some of its 25 known components, each of which serve a different function. It also means that the deployment of any given instance of Hermit might be different than the next.
Among those many functions are the ability to record audio, make and redirect calls, and collect data on a victim’s smartphone.
Then there are more niche functions. For example, as the researchers noted in their report, “the spyware also attempts to maintain data integrity of collected ‘evidence’ by sending a hash-based message authentication code (HMAC). This allows the actors to authenticate who sent the data as well as ensure the data is unchanged.” Why is this interesting? Because “using this method for data transmission may enable the admissibility of collected evidence.”
“The discovery of Hermit adds another puzzle piece to the picture of the secretive market for ‘lawful intercept’ surveillance tools,” wrote Shunk. “If there is legitimate use of this technology, it certainly requires strict oversight and protections against abuse.”