Threat Group Cards: A Threat Actor Encyclopedia

APT group: Operation Manul

Names	Operation Manul (Electronic Frontier Foundation)
Country	Kazakhstan
Motivation	Information theft and espionage
First seen	2015
Description	(Electronic Frontier Foundation) This report covers a campaign of phishing and malware which we have named “Operation Manul” and which, based on the available evidence, we believe is likely to have been carried out on behalf of the government of Kazakhstan against journalists, dissidents living in Europe, their family members, known associates, and their lawyers. Many of the targets are involved in litigation with the government of Kazakhstan in European and American courts whose substance ranges from attempts by the government of Kazakhstan to unmask the administrators behind an anonymous website that publishes leaks alleging government corruption (Kazaword) to allegations of kidnapping. Our research suggests links between this campaign and other campaigns that have been attributed to an Indian security company called Appin Security Group. A hired actor is consistent with our findings on the Command and Control servers related to this campaign, which included web-based control panels for multiple RATs, suggesting that several campaigns were being run at once. A hired actor may also explain the generic and uninspired nature of the phishing, which often took the form of an email purporting to contain an invoice or a legal document with an attachment containing a blurry image. An investigation by the Swiss federal police of some of the emails linked to Operation Manul concludes that they were sent from IP addresses in India, which also suggests a link to Appin.
Observed	Sectors: journalists and dissidents. Countries: Europe.
Tools used	Bandook, JRat.
Information	<https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf>

Last change to this card: 09 August 2021

Download this actor card in PDF or JSON format