The official website of Kazakhstan’s government has been infected with malware for over five months, Kazakh cybersecurity researchers say.
Security firms T&T and Zerde Security said they discovered two documents from the government portal’s legal and budget sections were infected with the Razy malware.
The files at the following URLs were publicly available on the eGov.kz portal of the Kazakhstan government:
- hxxps://legalacts.egov[.]kz/application/downloadnpa?id=5322314
- hxxps://budget.egov[.]kz/budgetfile/file?fileId=1520392
Last week, security company T&T Security showed in a video how downloading documents caused users to run an EXE before actually opening the requested document.
It has been speculated that a foreign intelligence agency or group organized a cyber-espionage attack on individuals working for the Kazakhstan Government or other sensitive sectors and compromised the website through a watering hole attack.
However, the Razy strain, first spotted in 2015, was mainly used in financially motivated operations. Most of its features were designed to steal users’ credentials and hijack their clipboard to replace cryptocurrency addresses.
In an interview with the Slovak newspaper The Record, Matthieu Fasou, who works for the antivirus company ESET, also expressed doubts it was a targeted attack.
According to the ESET’s researcher, the most likely scenario is that employees were infected by the Razy malware and its file spreader component that ESET tracks as FakeDoc later infected other documents stored on their computers and then got uploaded to the eGov.kz portal.
Not the first time this year has cybercriminals planted malware on an official government site.
In February, Ukraine’s National Coordination Center for Cybersecurity reported that Russian state-backed hackers compromised its government Web portals and planted malicious documents that installed malware on website visitors’ computers.
Another incident occurred last month when a hacker group from China launched a campaign to plant a trojan backdoor on the Myanmar president’s website.
