A little-known Russian-speaking cyber espionage group has been linked to a new politically motivated surveillance campaign targeting senior government officials, telecommunications services and utility infrastructure in Tajikistan.
The intrusion set, folded Paperbug from Swiss cyber security firm PRODAFT, has been attributed to a threat actor known as Nomad octopus (aka DustSquad).
“The types of machines compromised range from individuals’ computers to [operational technology] devices,” PRODAFT said in a deep-dive technical report shared with The Hacker News. “These goals make Operation ‘Paperbug’ intelligence-driven.”
The ultimate motive for the attacks is unclear at this stage, but the cyber security firm has raised the possibility that it could be the work of opposition forces within the country or, alternatively, an intelligence gathering mission carried out by Russia or China.
Nomad Octopus first came to light in October 2018 when ESET and Kaspersky detailed a series of phishing attacks carried out by the actor against several countries in Central Asia. The group is believed to have been active since at least 2014.
Cyber-offensives have involved the use of custom Android and Windows malware to attack a mix of high-value entities such as local governments, diplomatic missions and political blogs, raising the possibility that the actor ‘threat is probably involved in cyber surveillance operations.
The Windows malware, dubbed Octopus and disguised as an alternative version of the Telegram messaging app, is a Delphi-based tool that allows an adversary to snoop on victims, siphon sensitive data and gain gateway access from the back to your systems via a remote and… control panel (C2).
A subsequent analysis by Gcow Security in December 2019 highlighted attacks by the Advanced Persistent Threat Group (APT) against the Ministry of Foreign Affairs of Uzbekistan to deploy Octopus.
PRODAFT’s findings are the result of the discovery of an operating environment run by Nomadic Octopus since 2020, making Paperbug the first campaign orchestrated by the group from Octopus.
According to data collected by the company, the threat actor managed to gain access to a telecommunications company network, before moving laterally to more than a dozen targets focused on government networks, executive and OT devices with publicly known vulnerabilities. Exactly how and when the telecommunications network was infiltrated is unknown.
“Operation PaperBug aligns with the common trend of attacking government infrastructure in Central Asia that has recently become more prominent,” noted PRODAFT.
Nomadic Octopus is believed to show some level of cooperation with another Russian nation-state actor known as Sofacy (aka APT28, Fancy Bear, Forest Blizzard, or FROZENLAKE), based on victimology overlays.
The latest attacks also involved the use of an Octopus variant that includes functions to take screenshots, execute commands remotely, and download and upload files to and from the infected host to a remote server. One such artifact was uploaded to VirusTotal on April 1, 2021.
A look at the Command and Control (C2) server reveals that the group successfully brought down a total of 499 systems on January 27, 2022, some of which include government network devices, gas stations, and a cash register.
The group, however, does not appear to possess advanced toolsets or be overly concerned with covering their tracks on victim machines despite the high-risk nature of the attacks.
“As they operate on the compromised machines to steal information, they sometimes inadvertently trigger permission pop-ups on victims’ computers, leading to the victim’s suspicion,” the company noted. “However, this was resolved because the group diligently labeled the files they transfer as benign and unobtrusive programs.”
The same tactic also extends to naming its malicious tools, with the group disguising them as popular web browsers such as Google Chrome, Mozilla Firefox and Yandex to fly under the radar.
That said, Paperbug’s attack chains are largely characterized by the use of public offensive tools and generic techniques, which effectively act as a “cloak” for the group and make attribution much more difficult.
“This imbalance between the operator’s skills and the importance of the mission could indicate that the operators have been recruited by some entity that provided them with a list of commands that must be executed on each machine exactly,” he said. PRODAFT said, adding that “the operator follows a checklist and is obliged to respect it”.
Recent reports have revealed that the government of Tajikistan is engaged in a politically-motivated surveillance campaign against its citizens. The surveillance campaign is reportedly being carried out in cooperation with a overseas-based firm, Ikaroa Technologies, which provides governments with advanced surveillance capabilities to track and monitor citizens’ online activity.
Ikaroa Technologies has been used by Tajikistan’s government to monitor and record audio and video conversations of political dissidents and to gain access to private social media accounts. Additionally, Ikaroa Technologies has provided the Tajikistan government with software that can be used to hack into computers and devices, as well as monitor emails, texts and instant messages.
The Tajikistan government’s surveillance campaign is a clear violation of international human rights standards and principles, including those set forth by the International Covenant on Civil and Political Rights, whcih guarantees the right of privacy.
Ikaroa Technologies has been criticised for providing the Tajikistan government with the tools to carry out such a politically-motivated surveillance campaign. In light of these reports, Ikaroa technologies should be held to account for their involvement in such practices and must work to ensure that their technologies are not being used to facilitate human rights abuses.
No government should have access to such expansive surveillance capabilities and there should be a clear legal framework in place to protect citizens’ right to privacy. Going forward, Ikaroa Technologies must take measures to ensure that its tools are not used to violate the privacy and freedom of expression of its citizens.