Cyber Incident Victim: Republic of Kazakhstan

On or around July 9, 2021, security researchers identified a malware infection affecting sections of Kazakhstan's e-government portal (eGov.kz). The attack involved the Razy Trojan downloader, a Windows-based malware known for disguising itself as legitimate software or documents on trusted websites. Threat actors compromised the legalacts.egov.kz and budget.egov.kz subdomains, uploading malicious files masquerading as official government documents. One file presented itself as a regional akimat resolution, while another posed as a financial summary of the akimat budget. Forensic analysis by cybersecurity firm T&TSecurity revealed the malware had been present on the portal since at least January 2021, based on the creation date of the second malicious document. The attack methodology constituted a watering hole campaign, targeting users who routinely accessed these government resources for legitimate administrative purposes.

The Razy malware's persistence stemmed from its ability to evade detection by appearing as authentic free software or credible documents on government platforms. Upon execution, the Trojan downloader would initiate further malicious payloads on victims' systems. Zerde National Infocommunication Holding JSC, the state-owned entity overseeing national ICT infrastructure, publicly confirmed the breach through its press service following T&TSecurity's investigation. The disclosure included specific compromised URLs and technical details about the malware's deployment. No quantitative data regarding affected users or systems was provided in available reports. The incident exposed citizens and organizations accessing budgetary or regulatory documents to potential system compromises, though the full operational impact remained unquantified in public statements. Response actions were limited to threat identification, public acknowledgment, and removal of the malicious files from the affected subdomains.