Russian-linked hackers, identified as TAG-110, are behind a sophisticated cyber espionage campaign targeting organizations in Central Asia, East Asia, and Europe. The threat actors focus on government agencies, human rights organizations, and educational institutions.
Using custom malware tools HATVIBE and CHERRYSPY, TAG-110 gains access to systems and steals sensitive data. HATVIBE acts as a loader, deploying the Python-based CHERRYSPY backdoor. CHERRYSPY is designed for data theft and long-term surveillance. Initial access methods include exploiting vulnerabilities in public-facing web applications and phishing emails.
The hacking group, active since at least 2021, has primarily targeted countries like Tajikistan, Kyrgyzstan, Kazakhstan, Turkmenistan, and Uzbekistan. This suggests a focus on Central Asia, likely to support Russia’s geopolitical interests in the region. Smaller-scale attacks have been observed in Ukraine, Armenia, China, Hungary, India, and Greece.
The use of HATVIBE and CHERRYSPY was first documented in May 2023 during an attack on Ukrainian state agencies. A year later, the same tools were found in a breach of a scientific research institution in Ukraine. To date, researchers have identified at least 62 unique victims across 11 countries.
TAG-110’s actions align with Russia’s broader strategy of maintaining influence in post-Soviet states and countering geopolitical adversaries. Cyber operations like these support Moscow’s hybrid warfare approach, which combines cyberattacks with physical sabotage to destabilize opponents.
For example, since the invasion of Ukraine in 2022, Russia has intensified attacks on European critical infrastructure in NATO-aligned countries such as Estonia, Finland, and Poland. These efforts aim to weaken NATO alliances, disrupt military capabilities, and hinder support for Ukraine.
To counter such threats, organizations should prioritize proactive cybersecurity measures. Regularly update software to patch vulnerabilities and deploy robust intrusion detection systems. Employee training on phishing prevention can minimize risk, while multi-factor authentication adds an extra layer of protection.
Strengthening network monitoring and segmenting critical systems can also limit potential damage. Collaboration between governments and private entities will be essential to mitigate these evolving cyber threats.