Russian Hacker Tomiris Targets Central Asia for Intelligence Gathering
The Russian-speaking threat actor behind the backdoor known as Tomiris is primarily focused on intelligence gathering in Central Asia, new findings from Kaspersky reveal.
“Tomiris’ end game consistently appears to be routine theft of internal documents,” security researchers Pierre Delcher and Ivan Kwiatkowski said in an analysis published today. “Threat actors are targeting governmental and diplomatic entities in the CIS.”
The Russian cybersecurity firm’s latest assessment is based on three new attack campaigns mounted by hacking crews between 2021 and 2023.
Tomiris first came to light in September 2021 when Kaspersky highlighted its potential relationship with Nobelium (aka APT29, Cozy Bear, or Midnight Blizzard), the Russian nation-state group behind the SolarWinds supply chain attack.
Similarities are also found between the backdoor and another type of malware dubbed Kazuar, which is associated with the Turla group (aka Krypton, Secret Blizzard, Venomous Bear, or Uroburos).
The group’s spear-phishing attacks have utilized a “polyglot tool” consisting of various low-sophisticated “burner” implants coded in different programming languages and repeatedly used against the same target.
As well as using open source or commercially available offensive tools, the specific malware arsenals used by the group fall into one of three categories: downloaders, backdoors, and information thieves –
- Telemir – A Python backdoor that uses Telegram as a command-and-control (C2) channel.
- Roopy – Pascal based file stealer designed to retrieve files of interest every 40-80 minutes and extract them to a remote server.
- JLORAT – File stealer written in Rust that gathers system information, executes commands issued by the C2 server, uploads and downloads files, and captures screenshots.
Kaspersky’s investigation of the attack further identified an overlap with the Turla cluster tracked by Google’s Mandiant under the name UNC4210, revealing that a QUIETCANARY (aka TunnusSched) implant had been deployed against government targets in the CIS via Telemiris.
“To be more precise, on September 13, 2022, at around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris: first the Python Meterpreter loader, then JLORAT and Roopy,” the researchers explained.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
“These attempts were thwarted by the security product, which led the attacker to make repeated attempts, from various locations in the file system. All of these attempts ended in failure. After a one-hour delay, the operator tried again at 07:19 UTC, this using the TunnusSched/ sample QUIETCANARY. TunnusSched sample also blocked.”
Nonetheless, despite the potential link between the two groups, Tomiris is said to be separated from Turla due to their differences in targeting and trading, again raising the possibility of a false flag operation.
On the other hand, it is also very possible that Turla and Tomiris collaborated on certain operations or that both actors depended on the same software provider, as exemplified by the use of a tool by the Russian military intelligence agency supplied by a Moscow-based IT contractor named NTC Vulkan. .
“Overall, Tomiris is a very agile and determined actor, open to experimentation,” said the researchers, adding “there is a deliberate form of cooperation between Tomiris and Turla.”
