New Politically Motivated Surveillance Campaign in Tajikistan

A little-known Russian-language cyber espionage group has been linked to a new politically motivated surveillance campaign targeting high-ranking government officials, telecommunications services and public service infrastructure in Tajikistan.

Intrusion set, dubbed Paper lice by Swiss cybersecurity firm PRODAFT, has been linked to a threat actor known as Nomadic octopus (aka DustSquad).

“The types of compromised machines range from individual computers to (operational technology) devices,” PRODAFT said in an in-depth technical report shared with The Hacker News. “These targets made the ‘Paperbug’ operation intelligence-driven.”

The primary motive behind the attack is unclear at this stage, but cybersecurity firms have raised the possibility that it could be the work of opposition forces inside the country or, alternatively, an intelligence gathering mission carried out by Russia or China.

Nomadic Octopus was first revealed in October 2018 when ESET And Kaspersky details a series of phishing attacks carried out by the actor against several countries in Central Asia. The group is thought to have been active since at least 2014.

Cyber-attacks have involved using Android and Windows-specific malware to attack high-value entities such as local governments, diplomatic missions, and political bloggers, increasing the likelihood that threat actors may be involved in cyber surveillance operations.

Windows malware, dubbed Octopus and which masquerades as an alternative version of the messaging app Telegram, is a Delphi-based tool that allows adversaries to monitor victims, siphon sensitive data, and gain backdoor access to their systems via a command-and-control (C2) panel.

Further analysis by Gcow Security in December 2019 highlighted an advanced persistent threat group (APT) attack on the Ministry of Foreign Affairs of Uzbekistan to deploy Octopus.

PRODAFT’s findings are the result of discovering the operational environment maintained by Nomadic Octopus since 2020, making Paperbug the first campaign orchestrated by the group since Octopus.

According to data collected by the company, the threat actor managed to gain access to the telco’s network, before moving laterally to more than a dozen targets focused on networks of governments, executives and OT devices with publicly known vulnerabilities. How exactly and when the telecommunication network was compromised is not known.

“PaperBug’s operations are in line with the general trend to attack Central Asian government infrastructure which has recently become more prominent,” said PRODAFT.

Nomadic Octopus is believed to exhibit some degree of cooperation with another Russian nation-state actor known as Sofacy (aka APT28, Fancy Bear, Forest Blizzard, or FROZENLAKE), based on victimology overlap.

Subsequent recent attacks required the use of a variant of Octopus equipped with features to take screenshots, execute commands remotely, and download and upload files to and from the infected host to a remote server. One of them artifacts uploaded to VirusTotal on April 1, 2021.

A closer look at the command-and-control (C2) server reveals that the group successfully backdoored 499 systems on January 27, 2022, some of which included government network devices, gas stations, and cash registers.

The group, however, apparently either lacked sophisticated tools or were too concerned about covering their tracks on victims’ machines despite the high-risk nature of the attack.

“When they operate on compromised machines to steal information, they sometimes accidentally cause permission pop-ups on victims’ computers, which raises suspicions from victims,” ​​the company said. “However, this was resolved because the group diligently named the files they transferred as tame and inconspicuous programs.”

The same tactic extends to naming their rogue tools as well, with groups disguising them as popular web browsers like Google Chrome, Mozilla Firefox, and Yandex to fly under the radar.

Nonetheless, Paperbug’s attack chain is largely characterized by its use of public offensive tools and generic techniques, effectively acting as a “cloak” for the group and making attribution much more challenging.

“This imbalance between operator skills and mission importance may indicate that operators have been recruited by some entity who provides them with a precise list of commands that need to be executed on each machine,” said PRODAFT, adding “operators follow a checklist and are forced to adhere to it.”