Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Russian APT Hacked Tajikistani Carrier to Spy on Government, Public Services

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

A Russian espionage group tracked as Nomadic Octopus has been observed spying on Tajikistan’s high ranking government officials, public service infrastructures, and telecoms services, likely by infiltrating a mobile phone carrier, cyber threat intelligence company Prodaft reports.

Active since at least 2014 and also referred to as DustSquad, Nomadic Octopus is known for the targeting of individuals and diplomatic entities in Central Asia, mainly in Afghanistan and former Soviet Union countries.

In 2018, the advanced persistent threat (APT) actor was seen targeting the Democratic Choice (DVK) opposition party in Kazakhstan with the Octopus trojan, disguised as the Telegram messaging application.

Dubbed Paperbug (PDF), Nomadic Octopus’ Tajikistani campaign has been ongoing since 2020, resulting in the compromise of government networks, individual computers, and operational technology (OT) devices, such as gas station systems.

However, the group was seen removing access to victims that were not deemed valuable and which were unrelated to government infrastructure or public services.

As part of the Paperbug campaign, the APT would periodically steal emails, documents, and messaging application chat histories, but would also spy on victims in real time, taking screenshots when they were writing emails or creating new contracts.

The group was seen writing notes in Russian about the compromised devices and their owners, who were mainly government entities, but also maintaining connections to compromised OT devices, which were typically categorized based on the victim’s value.

Access to victims, Prodaft says, was obtained through the compromised networks of a Tajikistan-based telecom company. The threat actor has continued to harvest information from the carrier since November 2020.

Advertisement. Scroll to continue reading.

“It is determined that the Paperbug operation started in this firm’s network then expanded their access through document theft, stolen clients’ contracts and credentials, weak network security configurations and exploitation of not up-to-date software and services,” Prodaft explains.

Nomadic Octopus used multiple servers to manage the backdoors and tools deployed as part of the campaign, including malware that shows similarities to the previously analyzed Octopus. The backdoors allowed the attackers to execute various commands on the victims’ machines.

However, the campaign was mostly characterized by the use of public offensive tools, some deployed inattentively, even during the victim’s active hours. However, the attackers named their tools in a manner meant to hide the activity, including Google Update, Chrome Update, Java Update, and Google Crash Handler.

Despite the stakes of the campaign, however, the operators appeared to be low-skilled, which led Prodaft to the conclusion that they were given a “list of commands that need to be executed on each machine exactly”.

“This is further supported by the obstinate behavior of, trying to execute some commands even though it is clear beforehand that they will fail, thus meaning that the operator follows a checklist and forced to stick to it,” Prodaft notes.

When needed, the operators would change tools’ names to more generic programs, to obtain firewall permissions or additional privileges. In some cases, however, the operators would forget to change names when trying alternative tools, thus raising suspicion.

“The group usually does not know which device they gained access to. From how Nomadic Octopus group eliminates or keeps connection decision, it is clear to see that Nomadic Octopus is actively searching for OT devices, government networks and officers and public service infrastructures. These targets enable them to gather closed confidential sources and surveillance on Tajikistan and its people,” Prodaft notes.

Related: Kaspersky Analyzes Links Between Russian State-Sponsored APTs

Related: UK Warns of Russian Hackers Targeting Critical Infrastructure

Related: US, UK: Russia Exploiting Old Vulnerability to Hack Cisco Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet