Following a protest movement that swept across Kazakhstan in January, the Kazakh government deployed spyware to monitor activists, a cybersecurity research group has found.
The program, dubbed “Hermit” by the Lookout Threat Lab, is functionally similar to Israeli-made Pegasus spyware, although it was designed by Italian group RCS labs.
The detected sample is designed specifically for Android devices, although Lookout believes an IOS version also exists.
“Named after a separate server path used by the attacker’s command and control (C2), Hermit is modular surveillance software that hides its malicious capabilities in packages downloaded after deployment,” Lookout said in his report.
January protests in Kazakhstan were sparked by rising fuel prices and quickly turned violent. At the center of popular anger was former President Nursultan Nazarbayev, 81, who had ruled the former Soviet country since its independence in 1991.
His family is believed to control much of the country’s economy. Nazarbayev resigned in 2019 and chose his successor but remained in power behind the scenes until January.
Kazakhstan is not the only country in which the spyware has been deployed. The lab has also found evidence of its use in Rojava, the Kurdish-majority region of northern Syria that has been besieged by both the Turkish military and the Syrian government of Bashar Al-Assad.
“Before detecting the samples from Kazakhstan, we found a reference to ‘Rojava,’ a Kurdish-speaking region in northeast Syria, in Hermit’s passive DNS records,” Lookout said. “The domain we found (rojavanetwork[.]info) specifically mimics “Rojava Network”, a social media brand on Facebook and Twitter that provides news coverage and political analysis of the region, often in support of SDF operations. SDF stands for Syrian Democratic Forces.
The software has also been rolled out in its home country of Italy, the Italian parliament revealed in 2021.
“Italian authorities potentially misused him in an anti-corruption operation,” the report said.
In addition to Kazakhstan and Syria, the RCS lab also has ties to Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan.
Turkmenistan is considered one of the most repressive states in the world and Myanmar has been accused of carrying out genocide against its Rohingya minority since at least 2016.