Russian Hackers Tomiris Targeting Central Asia For Intelligence Gathering

Russian Hackers Tomiris Targeting Central Asia For Intelligence Gathering

New research from Kaspersky shows that the Russian-speaking threat actor behind the backdoor known as Tomiris is especially interested in intelligence gathering in Central Asia.

“Tomiris’s endgame consistently appears to be the regular theft of internal documents,” security researchers Pierre Delcher and Ivan Kwiatkowski said in an analysis published today. “The threat actor targets government and diplomatic entities in the CIS.”

ALSO, READ Russian Hackers Suspected In Ongoing Exploitation Of Unpatched PaperCut Servers

The Russian cybersecurity firm’s latest assessment is based on three new attack campaigns mounted by the hacking crew between 2021 and 2023.

Tomiris first came to light in September 2021 when Kaspersky highlighted its potential connections to Nobelium (aka APT29, Cozy Bear, or Midnight Blizzard), the Russian nation-state group behind the SolarWinds supply chain attack.

Russian Hackers Tomiris Targeting Central Asia For Intelligence Gathering

Similarities have also been unearthed between the backdoor and another malware strain dubbed Kazuar, which is attributed to the Turla group (aka Krypton, Secret Blizzard, Venomous Bear, or Uroburos).

Spear-phishing attacks mounted by the group have leveraged a “polyglot toolset” comprising a variety of low-sophistication “burner” implants that are coded in different programming languages and repeatedly deployed against the same targets.

ALSO, READ Ukrainian Hackers Spend $25,000 Of Pro-Russian Blogger’s Money On S*x Toys

Besides using open source or commercially available offensive tools, the custom malware arsenal used by the group falls into one of the three categories: downloaders, backdoors, and information stealers –

• Telemiris – A Python backdoor that uses Telegram as a command-and-control (C2) channel.
• Roopy – A Pascal-based file stealer that’s designed to hoover files of interest every 40-80 minutes and exfiltrate them to a remote server.
• JLORAT – A file stealer written in Rust that gathers system information, runs commands issued by the C2 server, upload and download files, and capture screenshots.

Russian Hackers Tomiris Targeting Central Asia For Intelligence Gathering

Kaspersky has discovered that the QUIETCANARY (aka TunnusSched) implant was distributed via Telemiris against a government target in the CIS, and that there are overlaps between this attack and a Turla cluster tracked by Google-owned Mandiant under the name UNC4210.

ALSO, READ Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware

“More precisely, on September 13, 2022, around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris: first a Python Meterpreter loader, then JLORAT and Roopy,” the researchers explained.

“These efforts were thwarted by security products, which led the attacker to make repeated attempts, from various locations on the filesystem. All these attempts ended in failure. After a one-hour pause, the operator tried again at 07:19 UTC, this time using a TunnusSched/QUIETCANARY sample. The TunnusSched sample was blocked as well.”

ALSO, READ MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics

Tomiris is reported to be distinct from Turla due to variances in targeting and tradecrafts, which again raises the idea of a false flag operation despite the groups’ possible affiliations.

Russian Hackers Tomiris Targeting Central Asia For Intelligence Gathering

In contrast, the fact that Russian military intelligence agencies employ tools supplied by a Moscow-based IT contractor named NTC Vulkan suggests that Turla and Tomiris work together on certain operations or that both the players rely on a shared software vendor.

ALSO, READ Iranian Government-Backed Hackers Targeting U.S. Energy And Transit Systems

“Overall, Tomiris is a very agile and determined actor, open to experimentation,” the researchers said, adding “there exists a form of deliberate cooperation between Tomiris and Turla.”