How Foreign Cyber Spies Stole Kazakhstanis’ Personal Data

Chinese hackers had been stealing data from Kazakhstani information networks for two years. Information about this surfaced after documents with this data were published on GitHub. Orda.kz has looked into the matter.

Partners?

The large-scale leak of data collected by the Chinese company iSoon happened in February of this year. Dozens of files have appeared in the public domain on the GitHub website. Chinese cyber spies targeted law enforcement and official agencies around the world, including NATO. The cyberattack was also very widespread and ranged from Kyrgyzstan to France.

Kazakhstani consumers’ data from KazakTelecom, Beeline, Kcell, and Tele2 fell into the hands of the hackers. Cyber spies had even gained complete control over the file and anti-virus servers of Kazakhstani companies. Among the key targets of the attack were law enforcement officers. The Center for Analysis and Investigation of Cyber Attacks (TSARKA - Ed.) reported that the UAPF had been mentioned in the leaked documents, yet the pension fund hastily assured that there was no data leak on their side.

iSoon undoubtedly collected information about security forces around the world, including Kazakhstan, at the behest of an intelligence agency. They had been doing it for at least two years.

When reports on the leak emerged, The Ministry of Digital Development, Innovation, and Aerospace Industry reported that it was assessing the situation with the KNB. Law enforcement agencies launched unscheduled inspections.

The Ministry’s Information Security Committee held a briefing, where the blame was delicately not laid on China’s door. The committee’s chairperson, Ruslan Abdikalikov, stressed that China is a "strategic partner" of Kazakhstan. However, he did not explain how the strategic partnership is mixed with espionage.

Western experts, unlike Kazakhstani ones, have openly stated that the Chinese special services are behind the iSoon hackers. Citizens received advice to accept the idea that their data is likely to have already been compromised.

Stolen data cannot be returned, so it's too late to wonder who reaped the benefits. Perhaps, the more appropriate question is how was this even possible.

Security on Crutches

The data leak from iSoon has revealed the weak spots in Kazakhstan's information infrastructure against cyber attacks. Vulnerabilities and threats exist both at the level of software and at the level of hardware used in Kazakh government agencies and corporations. Kazakhstan buys a significant part of the equipment from China. Hackers from China are certainly well aware of the weaknesses of such hardware.

There are two levels in programming — upper and lower. The lower one is just at the "hardware" level. When a computer operates somehow even without an operating system, this is the lower level. And if the equipment comes to us already with Chinese tech, then hackers could exploit those vulnerabilities that they already know about in advance,notes IT expert, Sergey Akhmetov, president of the Kazakhstan Association of Big Data and Analytics. 

TSARKA rejects the idea that, in this particular case, the hacking was somehow related to vulnerabilities at the hardware level. But this does not mean that there is no such problem.

Yes, there are vulnerabilities in Chinese equipment, as well as in other products. But there is no direct evidence that Chinese companies that supply hardware and software are leaking these vulnerabilities to security agencies so that they can hack us. We cannot confirm this, said Olzhas Satiyev, TSARKA President.

IT expert Sergey Akhmetov believes that the reason for the massive data leak is systemic problems with the country's digital infrastructure. The information security market in the Republic of Kazakhstan is very small. Tenders are held with three or four companies, most purchases are carried out behind closed doors. This applies to both hardware and software. And investments in infrastructure development are modest.

They save on everything they can. At least in the projects that I came across — there was the cheapest firewall, the cheapest hardware from China. Tenders are held with a narrow range of companies. When tenders are announced, information security specialists are not consulted. They already give everything to our security services after the fact: here, we bought such and such a server. And it, for example, no longer meets the safety requirements. For instance, the Damumed project, I know for sure that it was given to the security services after the fact when everything was written and done, says Sergey Akhmetov.

The expert advises adopting the experience of the European Union, Russia, or China, where when developing new services and purchasing equipment, everything is immediately worked out with information security specialists. No longer setting unrealistic deadlines for developers is also crucial.

We like to speed up the deadlines very much: a minister comes out, announces some figures spun out of thin air, and then there are those siphoning off this whole thing... You can do it either quickly or well, these are incompatible things.

Sergey Akhmetov emphasizes that Kazakhstan's information infrastructure is still largely on "crutches". This is what IT specialists call temporary solutions that have to be resorted to for urgent troubleshooting. The "crutches" are usually replaced later with something more reliable. But in the case of Kazakhstan's information security, there is nothing more permanent than temporary.

The system always breaks down at the architecture layer: if it is poorly designed, then it is very difficult to protect it in the future. Roughly speaking, a house was built without your participation, and then you are called in as an expert and asked: do you think it can withstand nine points (reference to earthquakes - Ed.)? And there are a lot of violations at the construction level. This is also the case with many IT projects. Our whole architecture is old. Everyone digitized as best they could. I'm talking about government services now, not even about Kazakhtelecom, where everything is even worse. Thus, there cannot be a single solution, there are too many different projects. One of the options is to work more with security services, to give the solution of problems to the market, which is easier to control, concludes Sergey Akhmetov.

Not a Cure-all

It is tempting to assume that Kazakh government agencies were simply being frugal with anti-virus protection. The programs used by the Chinese hackers can bypass 95% of modern anti-viruses, however. The country's information infrastructure is not ready for such attacks.

Olzhas Satiyev from TSARKA points out that the personal and corporate data of Kazakhstanis was stolen by a group of professionals with a clear idea of what information they wanted. IT experts call such groups APT (Advanced Persistent Threat -Ed.). They easily bypass anti-viruses.

An anti-virus is not a cure-all. Any anti-virus can be bypassed. If you know that some company uses a certain anti-virus, then you script a specialized virus or Trojan that bypasses this particular anti-virus. That is, an anti-virus is more likely to protect against mass attacks, explains Olzhas Satiyev.

According to IT expert Sergey Akhmetov, the anti-virus provides a basic level of protection. It will help you recognize a Trojan-infected flash drive and warn you if a website is not secure. It will not save you from a targeted attack, though. The fact that the Chinese hackers easily infiltrated the networks of Kazakhstani telecom operators indicates that these companies did not pinch pennies on anti-viruses, but on more complex security elements.

There should be a firewall along with the anti-virus, which should at least warn that there is something alien in the system and that it is transmitting data somewhere. And the whole system should have been closed off. This indicates the low workmanship of the Ministry of Digital Development, Innovation, and Aerospace Industry itself as a whole — it seems to me that they do not fully understand the scale of the problem. This is a nationwide precedent after which it is necessary to check all services, even those that are still being written, explained Sergey Akhmetov

Valery Zubanov, Managing Director of Kaspersky Lab in Kazakhstan, Central Asia, and Mongolia, also notes that anti-viruses alone are not enough to protect data.

An anti-virus solution is one of the last frontiers of protection. To prevent an attacker from reaching the endpoint, serious perimeter protection is needed. For example, protection of the web gateway, corporate mail along with an in-depth analysis of all suspicious, and not only, events, and also instruments capable of quickly responding to complex threats detected. Cyber hygiene is also of great importance, the spreading of knowledge about cybersecurity among the organization's employees says Valery Zubanov.

If an anti-virus is configured correctly, the success rate of a hacker attack will be notably reduced. But the technologies used by hackers are constantly being improved. Therefore, to protect against complex and targeted attacks, it is not enough to install good anti-viruses in all government agencies: a whole range of measures is necessary.

Not Enough Hands Make Work Hard

After the iSoon scandal, Majiis deputy Ekaterina Smyshlyaeva decided to check how many employees the Ministry of Digital Development, Innovation and Aerospace Industry Information Security Committee has. It turned out that only four people are formally responsible for protecting the personal data of 20 million Kazakhstanis.

The staff of the committee includes a head, an expert, and two main experts. It is unlikely that these four will stop a hacker group consisting of dozens of cyber spies with powerful equipment and expensive software. Even the support of "ethical hackers", who help to find and close security gaps, will not solve the problem. Kazakhstan's information security services market is too small, and every specialist is worth their weight in gold.

There is a need to create a separate cybersecurity agency. Yes, we have a regulator, the Information Security Committee under the Ministry of Digital Development, Innovation, and Aerospace Industry. But they won't be able to protect the whole country. Therefore, we need a separate agency that reports directly to the president or the Security Council, which has the authority to check any state information system for any problems, leaks, vulnerabilities. We have Antikor, we have FMA — there must be a cybersecurity agency, said Olzhas Satiev, president of TSARKA.

It would be unfair to say that the aforementioned Information Security Committee is toothless. Yet, the decisions they take to protect the personal data of Kazakhstanis are more likely directed against internal threats. The committee, for instance, wants to codify the concept of “super administrator”. This will be the name of a technical specialist who has access to all systems and databases. There is virtually no regulation for such specialists at the moment.

We understand that personal data leaks can occur, among other things, due to the impunity of super administrators, and we decided to remove this loophole. To do this, it is necessary to specify who the super administrator is, what requirements are imposed on them, what technical aspects will allow to control their work,  said Ruslan Abdikalikov, head of the Information Security Committee under the Ministry of Digital Development, Innovation and Aerospace Industry.

The committee explained that all information about the actions of super administrators is planned to be collected in a separate database with blockchain. The data will be sent from there to the State Technical Service. This will prevent administrators from covering their tracks in a system. Such innovations will help to combat leaks at the corporate level but in no way protect the data of Kazakhstanis from targeted hacker attacks from abroad.

Sergey Akhmetov believes that if we evaluate the security of Kazakhstan's information infrastructure as a percentage, then this figure will be a mere 30-35%. But it is possible to bring it up to 70-80%. The expert suggests recalling the experience in the banking sector. Indeed, relatively young Kazakhstani banks have managed to build a competent information security infrastructure and protect customer data.

According to Olzhas Satiyev, it is time for Kazakhstan to create its own "cyber army" of hackers to guard the country's “digital” borders. This task is becoming increasingly important by the day, considering that such attacks can stem from anywhere, even from states that are thought of as allies.

It Can Be Done Again

Cybersecurity experts warn that the iSoon leak is just the tip of the iceberg. The documents published online allow for a general understanding of the extent of Chinese hackers’ infiltration of Kazakhstan’s information networks. Olzhas Satiyev notes that there may be much more stolen data.

What was posted on GitHub is only a small part of the information. Unfortunately, we do not see the full scale of the situation. Perhaps there will be subsequent leaks from the same hacker group that will show how much data they have leaked. But we see that there was a whole hacker group that worked with the special services of a country, which infiltrated the structures of telecom providers and other organizations in Kazakhstan, were there for two years, pinpointed information about people of interest, including representatives of law enforcement agencies, says Olzhas Satiyev.

The iSoon hackers were collecting information. Unlike North Korean cyberspies, they did not infect computers with ransomware programs and did not try to disrupt the work of government agencies’ websites. The Guardian, citing British and American IT experts, points out that such massive data collection can serve as a foundation for malicious actions in the future. And now Kazakhstan is virtually unprotected from new attacks.

It seems to me that the probability of a repeat of such an attack is about 90%. Honestly and objectively speaking, if the Chinese want to get some information from us, they will. I looked at GitHub — there is pretty serious data there. And this is just what has leaked, says Sergey Akhmetov.

The risk of new leaks is high. According to experts, private companies that do not allocate the appropriate funds for information security are exposed to it.

Classic risks for organizations are the loss of personal and other critical data, business process shutdown, stealing of funds, and, as a result, serious damage to reputation. With a successful attack on manufacturing enterprises, the consequences can be no less serious, starting with the shutdown of technological processes and ending with man-made disasters, warns Valery Zubanov.

Chinese hackers had been quietly operating in the information infrastructure of the Republic of Kazakhstan for two years. It took another year to close the gaps they used. Perhaps a new hacker attack is already underway, and the personal data of Kazakhstani intelligence officers is leaking abroad right now.

We do not know how many other such groups working for the special services of foreign countries that are engaged in cyber espionage, extortion of money, and so on. Perhaps, all of them are also in our infrastructure: in the systems of banks, other telecom operators, and government agencies. Unfortunately, based on this case, we have to accept the fact that these groups are here, collecting and selling data, engaged in cyber espionage, Olzhas Satiyev summed up.

Hackers, and not only Chinese, can infiltrate Kazakhstan's critical information infrastructure in a way that no one at the Ministry of Digital Development, Innovation and Aerospace Industry will notice. And neither Bagdat Musin, who regularly reports on the scale of digitalization, nor the four people safeguarding Kazakhstanis’ data will be able to explain to Kazakhstanis why citizens' personal data is completely unprotected from foreign cyber spies.

Original Author: Nikita Drobny

DISCLAIMER: This is a translated piece. The text has been modified, the content is the same. Please refer to the original piece for accuracy.