Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Cyberespionage Implant Delivered via Targeted Government DNS Hijacking

Threat hunters at Kaspersky have intercepted a new cyberespionage implant being delivered via targeted DNS hijacking of government zones in Eastern Europe and published a new report Wednesday with clues linking the malware to the SolarWinds attackers.

Threat hunters at Kaspersky have intercepted a new cyberespionage implant being delivered via targeted DNS hijacking of government zones in Eastern Europe and published a new report Wednesday with clues linking the malware to the SolarWinds attackers.

The Russian security vendor said the newly discovered malware — called Tomiris — contains technical artifacts that suggest the possibility of common authorship or shared development practices with the group that executed the SolarWinds supply chain compromise.

The company documented the findings in a research paper that provides evidence of an advanced DNS hijacking technique used to surgically replace webmail login pages on the fly to hijack government usernames and passwords.

The DNS hijacking was observed on several government zones of an unidentified CIS member state — guesses are Kyrgyzstan or Kazakhstan — and allowed the threat actor to redirect traffic from government mail servers to attacker-controlled machines during specific time periods.

[ READ: Everything You Need to Know About the SolarWinds Attack ]

From the Kaspersky report:

During these time frames, the authoritative DNS servers for the zones above were switched to attacker-controlled resolvers. These hijacks were for the most part relatively brief and appear to have primarily targeted the mail servers of the affected organizations. We do not know how the threat actor was able to achieve this, but we assume they somehow obtained credentials to the control panel of the registrar used by the victims.

While the malicious redirections were active, visitors were directed to webmail login pages that mimicked the original ones. Due to the fact that the attackers controlled the various domain names they were hijacking, they were able to obtain legitimate SSL certificates from Let’s Encrypt for all these fake pages, making it very difficult for non-educated visitors to notice the attack – after all, they were connecting to the usual URL and landed on a secure page.

The researchers believe the credentials entered into the webpages were siphoned up by the attackers and reused in subsequent stages of a larger compromise.

“In some cases, they also added a message on the page to trick the user into installing a malicious ‘security update’,” the researchers noted, warning that the link leads to an executable file with the new backdoor.

[READ: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation ]

Once installed on a machine, the Tomiris backdoor continuously queries a command-and-control server for additional executable files to execute on the compromised system. 

Kaspersky has previously connected the SolarWinds attack code to a known Russian threat actor and is now calling on external threat-intel researchers to help reproduce the results.

The exposure of Tomiris — and the potential link to SolarWinds — comes just days after Microsoft issued a public advisory for FoggyWeb, a new piece of malware used by the SolarWinds (Nobelium) attackers. 

FoggyWeb has been described by Microsoft as a post-exploitation passive backdoor that the hackers have been using to remotely exfiltrate sensitive information from compromised Active Directory Federation Services (AD FS) servers. The backdoor is persistent and highly targeted.

The threat actor has been observed launching attacks even after its operations were exposed following the discovery of the SolarWinds breach. In June, Microsoft warned that the hackers had continued to conduct operations aimed at IT companies, with targets identified across 36 countries.

Related: Everything You Need to Know About the SolarWinds Attack 

Related: ‘Sunspot’ Malware Used to Insert Backdoor Into SolarWinds Product

Related: Kaspersky Connects SolarWinds Attack Code to Known Russian APT Group

Related: SolarWinds Confirms New Zero-Day Flaw Under Attack

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.