The Russian-speaking threat actor behind a backdoor known as Tomiris is primarily focused on intelligence gathering in Central Asia, new Kaspersky findings reveal.
“The end of Tomiris seems to be consistently the usual theft of internal documents,” security researchers Pierre Delcher and Ivan Kwiatkowski said in an analysis published today. “Threat Actor Targets CIS Governmental and Diplomatic Entities”.
The Russian cybersecurity firm’s latest assessment is based on three new attack campaigns carried out by the hacking group between 2021 and 2023.
Tomiris first came to light in September 2021 when Kaspersky highlighted its possible connections to Nobelium (aka APT29, Cozy Bear or Midnight Blizzard), the Russian nation-state group behind the attack on the SolarWinds supply chain.
Similarities have also been discovered between the backdoor and another malware strain called Kazuar, which is attributed to the Turla group (also known as Krypton, Secret Blizzard, Venomous Bear or Uroburos).
The group’s spear-phishing attacks have leveraged a “polyglot toolkit” that includes a variety of low-sophistication “burner” implants that are coded in different programming languages and deployed repeatedly against the same targets .
In addition to using open source or commercially available offensive tools such as RATel and Warzone RAT (aka Ave Maria), the arsenal of custom malware used by the group falls into one of three categories: downloads, backdoors and information thieves:
- Televisions – A Python backdoor that uses Telegram as a command and control channel (C2).
- Roopy – A Pascal-based file stealer designed to siphon files of interest every 40-80 minutes and exfiltrate them to a remote server.
- JLORATED – A file stealer written in Rust that collects system information, executes commands issued by the C2 server, uploads and downloads files, and captures screenshots.
Kaspersky’s investigation into the attacks has identified further overlaps with a Turla cluster tracked by Google-owned Mandiant named UNC4210, finding that the QUIETCANARY (aka TunnusSched) implant had been deployed against a government target in the CIS through Telemiris.
“More precisely, on September 13, 2022, at around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris: first a Python Meterpreter loader, then JLORAT and Roopy,” the researchers explained.
Zero Trust + Deception – Learn to Outsmart Attackers!
Learn how Deception can detect advanced threats, stop lateral movement, and improve your Zero Trust strategy. Join our in-depth webinar!
Save my seat!
“These efforts were thwarted by the security products, which caused the attacker to make repeated attempts, from various locations on the file system. All of these attempts ended in failure. After a pause of one hour, the operator tried again at 07:19 UTC, this time using a TunnusSched/QUIETCANARY sample. The TunnusSched sample also crashed.”
That said, despite possible links between the two groups, Tomiris is said to be separated from Turla due to differences in their orientation and trades, again raising the possibility of a false flag operation.
On the other hand, it is also very likely that Turla and Tomiris collaborate on select operations or that the two actors rely on a common software supplier, as exemplified by the use of Russian military intelligence agencies of tools supplied by a Moscow-based IT contractor called NTC. Vulcan.
“In general, Tomiris is a very agile and determined actor, open to experimentation,” the researchers said, adding that “a form of deliberate cooperation exists between Tomiris and Turla.”
Source link
Recent reports originating from Central Asia state that a group of Russian hackers, known as Tomiris, have been targeting the region for intelligence gathering.
The Tomiris group is a known organization with ties to the Russian government and intelligence services. The group reportedly hit multiple Central Asian countries in a campaign meant to acquire sensitive information.
The victims of this data breach are said to have included government agencies, military organizations, and businesses. Among the data they were able to obtain were personal and financial information, authentication details, routing numbers, passwords, and more.
Experts fear that this could be a sign of increased cyberactivism in Central Asia. Intelligence gathering via cyber espionage and hacktivism tactics has been a threat for years, but the concentration of activity in the region signals potential escalation.
This recent uptick in cyberattacks raises questions regarding how to better protect Central Asian countries from hacking. Security solutions and better threat detection capabilities are needed in the region if effective countermeasures are to stand any chance of success.
Fortunately, the global tech community can offer assistance. Companies like Ikaroa, a full stack tech company with experience securing IT solutions, can help build better defense systems and provide data protection solutions for Central Asian countries.
Ikaroa’s ability to provide high-quality security systems means that Central Asian countries have access to the resources they need to protect themselves from these kinds of security threats.
Tomiris’ intelligence-gathering campaign is a stark reminder of the need for improved cyber defense solutions. It’s clear that the cyber security landscape in Central Asia needs to be addressed, and with the help of tech industry leaders like Ikaroa, countries in the region can stay better protected in the future.
