One of Kazakhstan’s telecommunication organizations contacted a security solution provider in October 2021 with a suspect of malware on the company’s network. During the investigation, the researchers determined that the company’s internal servers have been infiltrated since 2019. Also, Backdoor.PlugX.93 and BackDoor.Whitebird.30, the Fast Reverse Proxy (FRP) utilities, and RemCom have been discovered as the main attackers’ tools for several years.
Research concluded that the threat actor group specialized in infecting the mail servers of Asian firms that had Microsoft Exchange software installed. Not only from Kazakhstan, but victims from several countries were found, including an Egyptian government agency, an Italian airport, a USA marketing company, Canadian transport, and woodworking companies.
Victims compromised from August 2021 to early November 2021 were included in the logs gathered by the command and control server. In some cases, BackDoor.Whitebird.30 was installed not only on the Microsoft Exchange server, but also on domain controllers. After the research, security researchers conclude that the Calypso APT hacker group is behind the attack.