Chinese Cyber Operations Targeting Kazakhstan
- Editorial Staff
- 25. 6.
- Minut čtení: 7
Aktualizováno: 21. 8.
Prepared May 2025
Author: Luca Pellegrini
Download the full report here:
Executive Summary
Kazakhstan, a pivotal Central Asian nation, has increasingly become a focal point for cyber activities, particularly from Chinese state-sponsored actors. This report delves into the multifaceted cyber threats facing Kazakhstan, highlighting the nature of cyberattacks, the vulnerabilities exploited, and the broader implications of China's digital influence in the region.
Strategic Context
Kazakhstan is central to China’s strategic vision in Eurasia for several reasons:
Belt and Road Initiative: Kazakhstan is a vital hub in the overland BRI route. Control over digital infrastructure and information flows facilitates the security of Chinese investments and logistics.
Xinjiang Security: With ethnic Kazakh populations living in Xinjiang and cross-border ethnic ties, China is deeply interested in monitoring sentiment and dissidence that could spill over into its territory.
Energy Security: Kazakhstan exports oil and gas to China. Cyber surveillance supports Chinese control and leverage in energy negotiations and supply chains.
Geopolitical Competition: As the U.S., EU, and Russia compete for influence in Central Asia, China uses cyber operations to assert dominance without overt political confrontation.
Recent investigations have unveiled extensive cyber-espionage campaigns orchestrated by Chinese entities against Kazakhstan's critical infrastructure.
Chinese hackers infiltrated major Kazakh telecom operators, including Beeline, Kcell, and Tele2, exfiltrating over 2.5 terabytes of sensitive data between 2019 and 2021. The compromised information encompassed call logs, device identifiers, and billing details .
A significant data leak from the Chinese cybersecurity firm iSoon revealed tools and operations used to surveil foreign entities. The leaked documents indicated that iSoon had access to Kazakh telecom infrastructures, facilitating the monitoring of communications and data exfiltration .
Reports suggest that Chinese hacker groups maintained unauthorized access to Kazakhstan's telecommunication systems for up to two years, targeting entities such as the Ministry of Defence and the national airline .
Surge in Cyberattacks
Kazakhstan has witnessed a dramatic escalation in cyber threats.
The State Technical Service reported over 223 million cyberattack attempts in 2023, predominantly targeting government bodies, telecom operators, and private enterprises .
The first quarter of 2025 saw a doubling of cyber incidents compared to the previous year, with 30,000 recorded cases. Notably, botnet-related activities surged, indicating a shift towards more automated and widespread attack vectors.
Key Chinese Threat Actors
1. APT10 (aka Stone Panda, MenuPass)
Affiliation: Chinese Ministry of State Security (MSS)
Target sectors: Government, telecom, defense, energy, healthcare, and NGOs
APT10 is known for large-scale cyber-espionage campaigns.
It has targeted regional government entities and think tanks, particularly those involved in China’s Belt and Road Initiative (BRI), which includes Kazakhstan.
Likely harvested sensitive geopolitical intelligence and internal communications.
Tactics, Techniques, and Procedures (TTPs):
Spear-phishing with customized payloads
Malware families: QuasarRAT, RedLeaves, ChChes
Often uses stolen credentials and lateral movement within networks
2. APT27 (aka Emissary Panda, LuckyMouse)
Affiliation: Linked to China’s People’s Liberation Army (PLA)
Target sectors: Government, military, infrastructure, finance, and diplomatic missions
Activities in Kazakhstan:
Suspected of targeting Kazakhstan’s Ministry of Foreign Affairs and related government bodies.
Interest likely tied to Kazakhstan’s balancing role between China and Russia, and its role in SCO (Shanghai Cooperation Organization).
Tactics, Techniques, and Procedures (TTPs):
Custom back-doors (e.g., HyperBro, ZXShell)
Command and control (C2) using legitimate-looking domains
Exploits against web servers (especially MS Exchange, SharePoint)
3. APT41 (aka Double Dragon, Barium, Winnti Group)
Affiliation: Chinese - Hybrid group – MSS contractors with criminal sideline activities
Target sectors: Government, education, healthcare, finance, and gaming
Activities in Kazakhstan:
Known for targeting educational institutions and ministries of education – possibly linked to China's interest in surveillance and influence over Uyghur populations and cultural policy.
Also engaged in financial cybercrimes—may be involved in cyber-enabled financial espionage in Kazakhstan’s banking sector.
Tactics, Techniques, and Procedures (TTPs):
Dual use of espionage and financial cybercrime techniques
Custom malware: Cobalt Strike, ShadowPad
Supply chain compromise and watering hole attacks
4. RedEcho (linked to APT41/Winnti)
Affiliation: Chinese
Focus on Critical infrastructure and energy – Targeting in particular Indian critical infrastructure.
Known for: Coordinated targeting of national power grids and energy regulators
Activity in Kazakhstan
Reports (such as from Recorded Future) suggest scanning and probing of Kazakh energy infrastructure during periods of Sino-Kazakh tension.
Likely conducting reconnaissance for future sabotage or information theft.
Tactics, Techniques, and Procedures (TTPs)
Use of ShadowPad backdoor
Encrypted C2 communications
Infrastructure overlaps with APT41/Winnti
5. Naikon APT
Affiliation: Likely linked to PLA
Target sectors: Government, military, foreign affairs
Activity in Kazakhstan:
Known for targeting diplomatic communications and regional intelligence in Southeast and Central Asia.
Believed to have penetrated email servers of several foreign affairs ministries, possibly including Kazakhstan’s.
Tactics, Techniques, and Procedures (TTPs):
Focus on long-term stealth access
Exploits in Microsoft Office and Outlook vulnerabilities
Malware: Aria-body, JakkaRAT
6. Mustang Panda (aka TA416, RedDelta)
Affiliation: Tied to MSS front companies
Focus: Political and religious groups, including foreign embassies
Activity in Kazakhstan:
Kazakhstan has been indirectly targeted due to its hosting of Uyghur diaspora and involvement in regional Uyghur policies.
Likely surveillance and phishing against NGOs, religious groups, or minority rights organizations based in Kazakhstan.
Tactics, Techniques, and Procedures (TTPs):
Use of PlugX, Cobalt Strike
ZIP attachments with malicious LNK or DOC files
Payloads often themed around Uyghur, religious, or diplomatic issues
Summary Table
Cybersecurity Infrastructure and Challenges
Despite efforts to bolster cybersecurity, Kazakhstan faces significant challenges. Kazakhstan ranks 78th out of 176 countries in the National Cyber Security Index, reflecting moderate preparedness against cyber threats. The country scores low in protecting digital and essential services, with 0% and 17% respectively, indicating areas requiring urgent attention. Limited resources and expertise hinder the development of robust Cybersecurity measures, making critical infrastructures susceptible to sophisticated attacks.
China's Digital Influence in Central Asia
China's engagement in Kazakhstan extends beyond cyberattacks. Through initiatives like the Digital Silk Road, China has invested in Kazakhstan's digital infrastructure, including surveillance systems and telecommunications, raising concerns about data sovereignty and privacy. China employs soft power tactics, such as cultural exchanges and media partnerships, to shape public perception and policy directions in Kazakhstan .
Wave of Cyberattacks Escalates Against Kazakhstan’s Independent Media and Digital Infrastructure
At least nine independent media outlets and numerous journalists have been targeted by cyberattacks since November 2023, according to local press freedom group Adil Soz. Victims include prominent organizations such as Kursiv, Inbusiness.kz, ProTenge, Airan, and the KazTAG news agency. These attacks have ranged from DDoS assaults that rendered websites inaccessible to orchestrated campaigns blocking social media accounts through mass complaints and fake reports.
Journalist Askhat Niyazov, known for his critical interviews with officials, reported that his Telegram and WhatsApp accounts-as well as those of his colleagues and spouse-were compromised in December 2023. In a separate incident, investigative Instagram outlet ProTenge had its account attacked and temporarily disabled, while Factcheck.kz and UlysMedia also reported DDoS attacks and hacking, respectively, with the latter resulting in the public release of personal information belonging to its editor-in-chief.
The attacks have forced media outlets to divert substantial resources to cybersecurity, with Kursiv.Media estimating losses exceeding 19 million tenge (about $42,300) due to redirected resources and lost advertising revenue. In January 2024, several media organizations and journalists jointly appealed to the National Security Committee (KNB) to take action against mounting pressure and cyber threats targeting the press.
Broader Digital Sector Disruptions
The Kazakhstani internet sector as a whole has also been hit hard. In early May 2025, a massive DDoS attack disrupted government portals, banking systems, and telecommunications networks, leaving thousands of users unable to access essential services. Authorities have acknowledged the severity of the attack and are collaborating with cybersecurity experts to mitigate its impact, though slow loading speeds and intermittent outages persist. The Ministry of Digital Development has urged organizations and individuals to bolster their online defenses, highlighting the urgent need for stronger national cybersecurity measures.
Between January and May 2025 alone, Kazakhstan recorded 30,000 information security incidents-double the number from the previous year. Botnet activity, phishing, and data leaks have all surged, with some incidents linked to foreign state actors and cybercriminal groups. In February 2024, a nongovernmental center reported that a hacker group tied to China’s APT41 espionage operation had gained access to critical infrastructure, including telecommunications operators and the state-owned pension fund
Recommendations
To mitigate cyber threats and safeguard national interests, Kazakhstan should consider:
Enhancing Cybersecurity Frameworks: Develop comprehensive policies and invest in advanced cybersecurity technologies.
International Collaboration: Engage with global partners for intelligence sharing and joint cybersecurity initiatives.
Capacity Building: Invest in training and retaining cybersecurity professionals to build a resilient workforce.
Public Awareness: Launch awareness campaigns to educate citizens and organizations about cyber hygiene and threat mitigation.
References
Kazakhstan Ranks 78th in National Cyber Security Index - The Astana Times.
The Astana Times: Kazakhstan Ranks 78th in National Cyber Security Index
Large-Scale Cyberattacks on Kazakhstan Continue - Times of Central Asia.
Chinese hackers target critical security infra of resource rich Kazakhstan - The Economic Times.
Leak shows China uses private company to hack citizens and foreign states - Financial Times.
Chinese hackers spy upon Kazakhstanis via telecommunication operators - Kursiv.
Cyberattacks Double in Kazakhstan in Early 2025 - Times of Central Asia.
China's Growing Influence in Central Asia Through Surveillance Systems - Caspian Policy Center.
Justice for Journalists: attacks-on-media-workers-in-kazakhstan-in-2024
Cpj.org: cpj-urges-kazakh-authorities-to-investigate-cyberattacks-on-media
Freedom House: freedomhouse.org/country/kazakhstan/freedom-net/2024
The Times of Central Asia: timesca.com/chinese-hackers-accessed-kazakh-telecoms-data-for-two-years/
Komentáře