Chinese hackers spy upon Kazakhstanis via telecommunication operators

According to KZ-CERT, the national Computer Emergency Response Team in Kazakhstan, a group of Chinese hackers had access to the infrastructure of Kazakhstani telecommunication operators for two years.

As CERT noted, this month unknown people published secret data leaked from iSoon (aka Anxun), one of the contractors of the Ministry of Public Security of China, on GitHub. According to this data, at least one Chinese hacker group had full access to the critical infrastructure of Kazakhstani telecommunication operators over the past two years.

«Attackers were interested in both general information such as databases and more specific information related to certain individuals. They wanted to know whom they called, what they chatted about and where they traveled. The data analysis showed that hackers stole terabytes of information,» CERT said in a statement.

Over the period from 2019 to 2020, perpetrators stole 637 gigabytes of information from beeline.kz, 820 gigabytes from kcell.kz, 1.09 terabytes from tele2.kz and 257 gigabytes from telecom.kz in 2021.

Hackers also published the personal data of IDNET and IDTV users with their logins and passwords.

«Hackers controlled event logs of the operators; they knew the duration of calls, IMEI codes of mobile devices and billing data of calls,» the CERT said in a statement.

The data leaks also mentioned the Unified Accumulative Pension Fund of Kazakhstan. In 2019 alone, perpetrators stole 1.92 gigabytes of data from the fund. Data from the country’s Defense Ministry and the national air carrier Air Astana have also leaked.

After examination of phone numbers through different leaks and GetContact, CERT’s experts found out that personnel of security agencies were also targeted in multiple attacks.

Apart from Kazakhstan, many other countries reported data leaks: Kyrgyzstan, Mongolia, Pakistan, Malaysia, Nepal, Turkey, India, Egypt, France, Cambodia, Rwanda, Nigeria, Hong Kong, Indonesia, Vietnam, Myanma, the Philippines and Afghanistan.

In December 2023, Kazakhstan’s President Kassym-Jomart Tokayev signed a law regulating the institution of white hat hackers as the government wanted these «good» hackers to identify security vulnerabilities of national information systems. In January 2024, the Ministry of Digital Development, Innovations and Aerospace Industry published a draft regulation for interaction with IT researchers also known as «white hat hackers.»

According to the new rule, white hat hackers can participate in searching for vulnerabilities that can cause data leaks after obtaining a special token. Any attack on eGov.kz without a token would be considered unauthorized.

In September 2023, some Kazakhstani media outlets reported that perpetrators used Venom RAT, a special software imitating NCAlayer, a public service for signing digital documents. As a result, criminals could get access to confidential information.