Cyberattack on Kazakhstan's Largest Oil Company Was 'Simulation'

Source: Daniren via Alamy Stock Photo

UPDATE

A cybersecurity company acknowledged that malicious activity targeting a Kazakhstan oil and gas company that it initially attributed to a likely Russian threat group was actually a large-scale phishing exercise.

From a distance, it looked like a full-on cyber campaign from a new threat actor, likely based in Russia, which researchers from Seqrite Labs took the liberty of naming "Noisy Bear." They spotted similar telemetry in attacks across Central Asia, they said, with a particularly notable case of espionage against Kazakhstan oil giant ҚазМұнайГаз (anglicized as "KazMunayGas," or KMG for short).

After communicating with KMG, one week after first reporting the incident, the researchers came to realize that it was merely a red team exercise. "Thankfully, as KMG has publicly acknowledged, this was not an actual cyberattack but an internal simulation exercise," the company said in an update to the its original report.

The simulation featured tactics, techniques, and procedures (TTPs) observed in other cyberattacks in the region, along with some advanced stealth techniques.

Simulated Russian Attack Chain

With a compromised email address belonging to a KMG finance department employee, the red team attackers sent phishing emails to various other employees. The emails were made to impersonate mundane company business — recipients were tasked with reviewing work schedules, incentive systems, and wages "in connection with recent changes in corporate policy." The intentionally banal subject matter was contradicted somewhat by the manufactured urgency with which it was presented — the subject line said "URGENT!" and the note urged recipients to address the contents of the email within days of receiving it.

Related:Iran MOIS Phishes 50+ Embassies, Ministries, Int'l Orgs

The email pointed recipients to a zip file, containing within it a decoy document and a shortcut (LNK) file deceptively named "Salary Schedule.lnk." When executed, the LNK downloaded a batch script, which in turn retrieved the attackers' PowerShell loader, dubbed "DownShell."

DownShell consists of two complementary scripts. The first is tasked with anti-analysis, by undermining the Windows Antimalware Scan Interface (AMSI).

AMSI is a bridge that allows any antimalware programs to scan other applications and services on the same system for malicious code. For example, if a script is loaded to be run in PowerShell, or a file about to execute in an Office program, AMSI passes the content to Microsoft Defender or a third-party antivirus program, which checks it for potential threats. 

Related:China Hijacks Captive Portals to Spy on Asian Diplomats

To get around this and execute its malicious loader, Noisy Bear used a known bypass trick. Without need for any special privileges or particularly sophisticated code, the hackers toggled a setting within PowerShell that, when true, indicates to the program that AMSI has failed to initialize.

Now that AMSI was "broken," the coast was clear for DownShell's second-stage script, the actual loader. This script's big trick was CreateRemoteThread Injection. In simple terms, it hijacked a normal Windows process — File Explorer — and forced it to create a new, hidden task where its malicious code could run under the protective guise of that legitimate process. That code established a reverse shell for the attackers.

International Attack or Simple Pen Test?

In communications with Seqrite Labs, KMG clarified that it was not attacked — it merely conducted a security exercise. Seqrite Labs initially pushed back on KMG's denials. In comments to Dark Reading this week, the company claimed that aspects of the attacks, such as forensic evidence and the use of a sanctioned Russian bulletproof hosting provider, Aeza Group, indicated the activity was conducted by threat actors. 

However, in an update to its original report, Seqrite Labs confirmed it was no a real cyberattack.

Related:African Law Enforcement Agencies Nab Cybercrime Syndicates

The simulation reflects broader threats faced by organizations in the region. Seqrite Labs researchers said that "beyond Kazakhstan’s oil and gas sector, we’ve seen infrastructure and tooling overlaps across other Central Asian targets," pointing, for example, to the Silent Lynx group.

In theory, KMG could be of particular interest to Russian attackers, or anyone else interested in Central Asia. It's not just a state-owned oil and gas company, or Kazakhstan's largest such company, raking in billions of dollars every year. It's also the country's largest company, full stop. Much of its customer base is in Europe where, amid Putin's security threats to the European Union (EU) and Ukraine, some countries have been trying to wean themselves off of Russian gas.

Dark Reading contacted KMG for comment and will update this article should a company representative reply.

This story was updated on Sept, 11, 2025 at 5:15 p.m. ET, after the researchers acknowledged the event was a red team exercise, not a real cyberattack.