A recently reported cyber campaign allegedly targeting Kazakhstan’s energy sector, initially linked to a threat actor dubbed Noisy Bear, has been clarified as a planned phishing exercise by KazMunayGas, the country’s state-owned oil and gas company.

Originally, cybersecurity researchers identified the activity under the codename Operation BarrelFire, suggesting a Russian-origin threat group targeting KazMunayGas employees with phishing emails containing malicious attachments. The emails were said to mimic internal communications, including policy updates, IT certification procedures, and salary adjustments.

The reported attack chain involved ZIP attachments containing a Windows shortcut (LNK) downloader, a decoy document, and instructions in Russian and Kazakh to run a program named KazMunayGaz_Viewer. Payloads were reportedly designed to drop scripts that would eventually execute a DLL implant capable of launching reverse shells for post-exploitation activities. Researchers also noted connections to bulletproof hosting in Russia and similarities to malware campaigns targeting Ukraine and Poland, including the use of VBA macros, Cobalt Strike, and Slack-based exfiltration channels.

Additional reports highlighted other regional threats, such as Russian-targeted campaigns leveraging techniques like BYOVD (Bring Your Own Vulnerable Driver), information stealers like Phantom Stealer, and Android malware disguised as FSB-branded antivirus apps, designed to extract sensitive data from devices.

However, according to Orda.kz, KazMunayGas has clarified that the screenshots and scenarios described in the reports were part of an internal phishing training exercise conducted in May 2025. The aim was to test employee awareness and response to phishing attempts, not an actual cyber espionage operation.

This update underscores the importance of verifying cybersecurity reports and highlights the role of internal phishing simulations as a proactive measure to enhance employee security awareness.

Source: https://thehackernews.com/2025/09/noisy-bear-targets-kazakhstan-energy.html