Connect with us

Hi, what are you looking for?



Russian APT Hacked Tajikistani Carrier to Spy on Government, Public Services

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

A Russian espionage group tracked as Nomadic Octopus has been observed spying on Tajikistan’s high ranking government officials, public service infrastructures, and telecoms services, likely by infiltrating a mobile phone carrier, cyber threat intelligence company Prodaft reports.

Active since at least 2014 and also referred to as DustSquad, Nomadic Octopus is known for the targeting of individuals and diplomatic entities in Central Asia, mainly in Afghanistan and former Soviet Union countries.

In 2018, the advanced persistent threat (APT) actor was seen targeting the Democratic Choice (DVK) opposition party in Kazakhstan with the Octopus trojan, disguised as the Telegram messaging application.

Dubbed Paperbug (PDF), Nomadic Octopus’ Tajikistani campaign has been ongoing since 2020, resulting in the compromise of government networks, individual computers, and operational technology (OT) devices, such as gas station systems.

However, the group was seen removing access to victims that were not deemed valuable and which were unrelated to government infrastructure or public services.

As part of the Paperbug campaign, the APT would periodically steal emails, documents, and messaging application chat histories, but would also spy on victims in real time, taking screenshots when they were writing emails or creating new contracts.

The group was seen writing notes in Russian about the compromised devices and their owners, who were mainly government entities, but also maintaining connections to compromised OT devices, which were typically categorized based on the victim’s value.

Advertisement. Scroll to continue reading.

Access to victims, Prodaft says, was obtained through the compromised networks of a Tajikistan-based telecom company. The threat actor has continued to harvest information from the carrier since November 2020.

“It is determined that the Paperbug operation started in this firm’s network then expanded their access through document theft, stolen clients’ contracts and credentials, weak network security configurations and exploitation of not up-to-date software and services,” Prodaft explains.

Nomadic Octopus used multiple servers to manage the backdoors and tools deployed as part of the campaign, including malware that shows similarities to the previously analyzed Octopus. The backdoors allowed the attackers to execute various commands on the victims’ machines.

However, the campaign was mostly characterized by the use of public offensive tools, some deployed inattentively, even during the victim’s active hours. However, the attackers named their tools in a manner meant to hide the activity, including Google Update, Chrome Update, Java Update, and Google Crash Handler.

Despite the stakes of the campaign, however, the operators appeared to be low-skilled, which led Prodaft to the conclusion that they were given a “list of commands that need to be executed on each machine exactly”.

“This is further supported by the obstinate behavior of, trying to execute some commands even though it is clear beforehand that they will fail, thus meaning that the operator follows a checklist and forced to stick to it,” Prodaft notes.

When needed, the operators would change tools’ names to more generic programs, to obtain firewall permissions or additional privileges. In some cases, however, the operators would forget to change names when trying alternative tools, thus raising suspicion.

“The group usually does not know which device they gained access to. From how Nomadic Octopus group eliminates or keeps connection decision, it is clear to see that Nomadic Octopus is actively searching for OT devices, government networks and officers and public service infrastructures. These targets enable them to gather closed confidential sources and surveillance on Tajikistan and its people,” Prodaft notes.

Related: Kaspersky Analyzes Links Between Russian State-Sponsored APTs

Related: UK Warns of Russian Hackers Targeting Critical Infrastructure

Related: US, UK: Russia Exploiting Old Vulnerability to Hack Cisco Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.