Noisy Bear’s BarrelFire Campaign Targets Kazakhstan’s Energy Sector

In a series of sophisticated cyberattacks, a threat actor identified as Noisy Bear has been targeting Kazakhstan’s energy sector, specifically focusing on employees of KazMunaiGas (KMG). This campaign, dubbed Operation BarrelFire, has been active since at least April 2025 and is believed to be of Russian origin.

Initial Intrusion:

The attack begins with spear-phishing emails sent from a compromised KMG finance department email account. These emails contain a ZIP attachment that includes a Windows shortcut (LNK) downloader, a decoy document related to KMG, and a README.txt file with instructions in both Russian and Kazakh. The decoy document mimics official internal communications, covering topics such as policy updates, internal certification procedures, and salary adjustments. The README.txt file instructs recipients to run a program named KazMunayGaz_Viewer.

Infection Chain:

Upon execution, the LNK file initiates a multi-stage infection process:

1. Batch Script Execution: The LNK file drops a malicious batch script designed to evade sandbox environments and disable Windows’ Anti-Malware Scan Interface (AMSI).

2. PowerShell Loader Deployment: The batch script launches a PowerShell loader, referred to as DOWNSHELL, which downloads and executes additional payloads.

3. DLL Implant Installation: DOWNSHELL deploys a 64-bit DLL implant that can run shellcode to establish a reverse shell, allowing attackers to execute commands remotely.

Infrastructure and Attribution:

Noisy Bear’s command-and-control servers are hosted on Russia-based bulletproof hosting services, notably Aeza Group, which was sanctioned by the U.S. in July 2025 for facilitating malicious activities. Language artifacts within the malware code and the targeting patterns suggest a Russian origin for the group.

Comparative Threat Landscape:

This campaign is part of a broader trend of cyberespionage activities targeting critical infrastructure. For instance, the Belarus-aligned group Ghostwriter has been linked to attacks on Ukraine and Poland, utilizing rogue ZIP and RAR archives to collect information and deploy implants for further exploitation. Similarly, Russian state-sponsored groups like Energetic Bear have a history of targeting the energy sector in Western Europe and North America, employing tactics such as spear-phishing and watering hole attacks.

Mitigation Strategies:

Organizations in the energy sector should implement the following measures to defend against such sophisticated attacks:

– Email Security Enhancements: Deploy advanced threat protection gateways to detect and block malicious attachments and links.

– PowerShell Monitoring: Enable logging and enforce strict execution policies to identify and prevent unauthorized script activities.

– Endpoint Protection: Regularly update antivirus definitions and utilize behavior-based detection tools to identify in-memory threats like DOWNSHELL.

– Employee Training: Conduct regular training sessions to help employees recognize and report phishing attempts.

– Incident Response Planning: Develop and regularly test incident response plans to ensure swift containment and remediation of breaches.

By adopting these strategies, organizations can enhance their resilience against cyber threats and protect critical infrastructure from potential disruptions.