Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Tomiris. Show all posts

APT Groups Tomiris and Turla Target Governments

 


As a result of an investigation under the Advanced Persistence Threat (APT) name Tomiris, the group has been discovered using tools such as KopiLuwak and TunnusSched that were previously linked to another APT group known as Turla. 

Positive results are the result of an investigation conducted into the Tomiris APT group. This investigation focused on an intelligence-gathering campaign in Central Asia. As a possible method to obstruct attribution, the Russian-speaking actor used a wide array of malware implants that were created rapidly and in all programming languages known to man to develop the malware implants. A recently published study aims to understand how the group uses malware previously associated with Turla, one of the most notorious APT groups. 

Cyberspace is a challenging environment for attribution. There are several ways highly skilled actors throw researchers off track with their techniques. These include masking their origins, rendering themselves anonymous, or even misrepresenting themselves as part of other threat groups using false flags. Adam Flatley, formerly Director of Operations at the National Security Agency and Vice President for Intelligence at [Redacted], explains this in excellent depth. Adam and his team can determine their real identities only by taking advantage of threat actor operational security mistakes. 

Based on Kaspersky's observations, the observed attacks were backed by several low-sophisticated "burner" implant attacks using different programming languages, regularly deployed against the same targets by using basic but efficient packaging and distribution techniques as well as deployed against the same targets consistently. Tomiris also uses open-source or commercial risk assessment tools. 

In addition to spear-phishing emails with malicious content attached (password-protected archives, malicious documents, weaponized LNKs), Tomiris uses a wide range of other attack vectors. Tomiris' creative methods include DNS hijacking, exploiting vulnerabilities (specifically ProxyLogon), suspected drive-by downloads, etc. 

To steal documents inside the CIS, the threat actor targets governments and diplomatic entities within that region. There have been instances where victims have turned up in other regions (overseas as the Middle East and Southeast Asia) only to be foreigners representing the countries of the Commonwealth of Independent States, a clear indication of Tomiris's narrow focus on the region. 

An important clue to figuring out what's happening is the targeting. As Delcher explained, Tomiris focuses on government organizations in CIS, including the Russian Federation. However, in the cybersecurity industry, some vendors refer to Turla as a Russian-backed entity. A Russian-sponsored actor would not target the Russian Federation, which does not make sense. 

According to Delcher, it is not simply an educational exercise to differentiate between threat actors and legitimate actors. A stronger defense can be achieved through the use of such software. There may be some campaigns and tools that need to be re-evaluated in light of the date Tomiris started utilizing KopiLuwak. In addition, there are several tools associated with Turla.