Connect with us

Hi, what are you looking for?

HEADLINES

Kaspersky investigates Tomiris APT group targeting government entities in CIS

This Russian-speaking actor uses a wide variety of malware implants developed at a rapid pace and in all programming languages imaginable, presumably in order to obstruct attribution. What drew the researchers’ special attention is that Tomiris deploys malware that was previously linked to Turla, another notorious APT group.

Kaspersky has released a new investigation on Tomiris APT group that focuses on intelligence gathering in Central Asia. This Russian-speaking actor uses a wide variety of malware implants developed at a rapid pace and in all programming languages imaginable, presumably in order to obstruct attribution. What drew the researchers’ special attention is that Tomiris deploys malware that was previously linked to Turla, another notorious APT group.

Kaspersky first publicly described Tomiris in September 2021, following the investigation of a DNS-hijack against a government organization in the Commonwealth of Independent States (CIS). Back then, the researchers had noted inconclusive similarities with the SolarWinds incident. They continued to track Tomiris as a separate threat actor over several new attack campaigns between 2021 and 2023, and Kaspersky’s telemetry allowed to shed light on the group’s toolset and its possible connection to Turla.

The threat actor targets government and diplomatic entities in the CIS with the final aim to steal internal documents. The occasional victims discovered in other regions (such as the Middle East or South-East Asia) turn out to be foreign representations of CIS countries, illustrating Tomiris’s narrow focus.

Tomiris goes after its victims using a wide variety of attack vectors: spear-phishing emails with malicious content attached (password-protected archives, malicious documents, weaponized LNKs), DNS hijacking, exploitation of vulnerabilities (specifically ProxyLogon), suspected drive-by downloads and other “creative” methods.

Advertisement. Scroll to continue reading.

What makes most recent Tomiris’ operations special is that, with medium-to-high confidence, they leveraged KopiLuwak and TunnusSched malware that were previously connected to Turla. However, despite sharing this toolkit, Kaspersky’s latest research explains that Turla and Tomiris are very likely separate actors that could be exchanging tradecraft. 

Tomiris is undoubtedly Russian-speaking, but its targeting and tradecrafts are significantly at odds with what has been observed for Turla. In addition, Tomiris’s general approach to intrusion and limited interest in stealth do not match documented Turla tradecraft. However, Kaspersky’s researchers believe that tools sharing is a potential proof of some cooperation between Tomiris and Turla, the extent of which is difficult to assess. In any case, depending on when Tomiris started using KopiLuwak, a number of campaigns and tools believed to be linked to Turla may in fact need to be re-evaluated.

“Our research shows that the use of KopiLuwak or TunnusSched is now insufficient to link cyberattacks to Turla. To the best of our knowledge, this toolset is currently leveraged by Tomiris, which we strongly believe is distinct from Turla – although both actors likely cooperated at some point. Looking at tactics and malware samples only gets us so far, and we are often reminded that threat actors are subject to organizational and political constraints. This investigation illustrates the limits of technical attribution that we can only overcome through intelligence sharing.” comments Pierre Delcher, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).

Read the full report about the Tomiris APT group on Securelist.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years. 
  • Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
  • For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
  • As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform.

Advertisement. Scroll to continue reading.
Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

The campaigns show attackers are capitalizing on people’s increasing familiarity with completing multiple authentication steps online – a trend HP calls ‘click tolerance’. 

White Papers

IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on...

HEADLINES

Kaspersky participated in 95 independent tests and reviews, with its products being awarded first place 91 times and 92 TOP3 finishes, achieving the highest results among...

HEADLINES

‘Wangiri’ originated in Japan in the early 2000’s. The term describes the modus. ‘Wan’ is a play on the word ‘one’ while ‘giri’ means...

HEADLINES

Smart and its value brand TNT do not send text messages with clickable links. If you receive one—even if it looks like it’s from...

White Papers

n the Philippines, industry players are taking a more proactive approach to building a security framework for digital resilience.

HEADLINES

This marks the company’s first participation in the region’s premier tech event, where it will showcase its groundbreaking cybersecurity solutions to industry leaders, innovators,...

HEADLINES

A report found that the primary way attackers gained initial access to networks (56% of all cases across MDR and IR) was by exploiting...

Advertisement