Kazakhstan Spying
NSO GROUP. PEGASUS. HACKING TEAM.
2012
In December of 2012, Kazakhstan KNB had purchased malware spying tools from Hacking Team, based out of Italy.
2014
2015
June 2015 - EFF (Electronic Frontier Foundation) was representing Republika and journalists being targeted for reporting on corruption within the Kazakhstan government.
"The case began in March, when Kazakhstan sued dozens of unnamed individuals in a New York district court for allegedly breaking into government computers and stealing thousands of messages sent from Gmail accounts. The judge in the case issued a preliminary injunction, forbidding these unnamed individuals from disseminating, using, or viewing the material.
Respublika, like many news outlets around the world, reported on the emails after others had posted them publicly. But Kazakhstan government attorneys have since sent multiple letters to the newspaper’s web host, demanding the removal of dozens of articles. Earlier this month, Kazakhstan went further, claiming that the court order required that Respublika’s entire site be disabled. The government also subpoenaed Facebook as well as the newspaper’s web host and domain registrar to obtain personal identifying information about the authors and readers of Respublika’s articles. To date, 47 articles have been removed and are no longer available to readers in the United States, Kazakhstan, and around the world."
The emails obtained from hacked gmail accounts were accused of being related to the Ablyazov case, meaning Ablyazov himself was accused of hiring third parties to hack the Kazakhstan government and leak the emails.
2016
August 2016 - EFF reported on Operation Manul, what they named an operation they discovered targeting some of the same journalists they were representing who were reporting critical stories of the Kazakhstan government. Their full Operation Manul report can be found here.
"This report covers a campaign we have named 'Operation Manul' and which, based on the available evidence described in the report, we believe is likely to have been carried out on behalf of the government of Kazakhstan against journalists, dissidents living in Europe, their family members, known associates, and their lawyers. Many of the targets are involved in litigation with the government of Kazakhstan in European and American courts, litigation whose substance ranges from attempts by the government of Kazakhstan to unmask the administrators behind an anonymous website that publishes leaks alleging government corruption (Kazaword), to allegations of kidnapping.
Our research suggests links between this campaign and other campaigns that have been attributed to an Indian security company called Appin Security Group. A hired actor is consistent with our findings on the Command and Control servers related to this campaign, which included web-based control panels for multiple RATs, suggesting that several campaigns were being run at once. A hired actor may also explain the generic and uninspired nature of the phishing, which often took the form of an email purporting to contain an invoice or a legal document with an attachment containing a blurry image. An investigation by the Swiss federal police of some of the emails linked to Operation Manul concludes that they were sent from IP addresses in India, which is also consistent with a link to Appin.
Hundreds of leaked emails published on the Kazaword website also suggest possible links between this campaign and Arcanum Global Intelligence, a private intelligence company with headquarters in Zurich, which was allegedly hired by the government of Kazakhstan to perform a surveillance and data extraction operation against a high-profile dissident. It was Respublika’s reporting on these connections which led the government of Kazakhstan to request an injunction in a New York court to bar the website from publishing the “stolen” emails."
They included a handy brief timeline overview to add here for additional context:
August 8, 2014 - First links to leaked documents indicating corruption in the Kazakhstan government published to Kazaword
January 1, 2015 - Republika publishes first articles that attribute Kazaword documents as source
February 20, 2015 - Kazakhstan files Kazakhstan vs. Does lawsuit in Santa Clara Superior Court
March 12, 2015 - Kazakhstan files Kazakhstan vs. Does lawsuit in the US District Court for the Southern District of New York
April 23, 2015 - Kazakhstan served Black Lotus, Respublika's webhost, with preliminary injunction
June 1, 2015 - First phishing email sent to attorney associated with Respublika case
July 8, 2015 - Two additional emails target attorney associated with Respublika case
July 13, 2015 - Additional email sent targeting defendant in Respublika case
August 12, 2015 - Email sent targeting attorney involved in anti-corruption case and identical emails sent targeting both defendants
September 20, 2015 - Phishing email sent targeting Kazakh dissident and Respublika attorney
October 27, 2015 - Judge Ramos injunction against Kazaword publishing leaked documents did not apply to Respublika
October 28, 2015 - SDNY magistrate partially grants Kazakhstan's request to take Respublika's deposition after court hearing
November 25, 2015 - Emails sent targeting Respublika attorney, spokesman, and additional attorneys
December 7, 2015 - Emails sent targeting Respublika attorney, spokesman, and additional attorneys (these attorneys were also working on cases related to alleged corruption by the Kazakhstan government in European countries
January 15, 2016 - Both Respublika and Facebook filed oppositions to Kazakhstan's motions to compel Facebook to turn over to Kazakhstan user data associated with Respublika's Facebook account
January 20, 2016 - Emails sent targeting Respublika attorney and client
January 25, 2016 - Emails sent targeting dissident and attorney
February 17, 2016 - Emails sent targeting two attorneys
April 8, 2016 - Criminal complaint filed in Geneva, Switzerland on behalf of the Ablyazov family alleging a campaign of physical and digital surveillance by the Kazakhstan government
Within the 2016 Operation Manul report by EFF, this is how attribution was reported:
"Given the common thread tying together the targets we find it likely that this campaign was carried out by—or on the behalf of—the government of Kazakhstan, or forces allied with the government. The majority of the targets of the malware campaign are currently embroiled in legal disputes with the government of Kazakhstan in European courts or are the family members or associates of people involved in these disputes. The titles of spearphishing emails often indicate that the targets are being singled out specifically for their interest in matters pertaining to Kazakhstan, such as 'Information KZ,' 'Press document KZ,' and 'Kazakh NEWS of importance - Vladimir.'”
BlackHat EFF Presentation 2016