Noisy Bear Hackers Reportedly Attacked KazMunayGas

An unknown hacker group, calling itself Noisy Bear, has attacked the digital infrastructure of the national company KazMunayGas. The attackers used phishing emails disguised as corporate newsletters to gain access to important internal information, Orda.kz reports.

Specialized foreign media, including Malware News and Cyber Security News, have reported on the new cyber threat. According to their information, Noisy Bear has been active since April, targeting energy and oil and gas companies in Central Asia, with KazMunayGas as its main focus.

The campaign is targeted towards employees of KazMunayGas or KMG where the threat entity delivered a fake document related to KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments, writes Malware News.

The hackers used phishing emails with ZIP attachments that contained an installer launching a malicious script.

Victims’ computers were infected with malware written in PowerShell, which allows attackers to bypass traditional antivirus protection. The first attacks were recorded in April, and in May, mass distribution of the infected file began, sent to KazMunayGas employees under the guise of a payroll schedule.

According to Malware News, the phishing email used the KazMunayGas logo and included detailed instructions in Kazakh and Russian on how to download and open the malicious file. To appear legitimate, the text referenced the company’s IT department.

But opening the link redirected users to a foreign server, which then downloaded the file onto the victim’s computer and launched the malicious script.

Based on the server IP address cited by analysts, it was located in Moscow. Comments in the script description were written in Russian.

In the analyzed files, experts found references to Aeza Group LLC, a Russian hosting company sanctioned by the United States in the summer of 2025.

Analysts conclude that the attack was most likely carried out by Russian hackers.

In our ongoing tracking of Noisy Bear, we have a lot of artefacts, such as languages present inside the tooling, usage of sanctioned web-hosting services and similar behavioral artefacts with related to Russian threat entities which have previously targeted similar Central Asian nations, we attribute the threat actor possibly could be of Russian origin, Malware News reported.

Cyber Security News notes that the attack methodology demonstrates a high level of social engineering. The hackers knew exactly whom to target and how to “package” the malicious content to infect as many devices as possible.

Orda.kz will request comments from KazMunayGas and the Ministry of Digital Development to clarify the damage caused by the attack and whether its consequences have been eliminated.

This is not the first reported incident involving Russian hackers in 2025. In January, it became known that attackers, allegedly linked to the Kremlin, organized a campaign to collect strategically important information in Central Asian countries, including Kazakhstan.

Later, in March, hackers attacked the website of the Kazakh embassy in Russia.

Original Author: Nikita Drobny