A little-known Russian-speaking cyber espionage group has been revealed to be involved in a new politically motivated surveillance campaign targeting government officials, telecommunications services and public service infrastructure in Tajikistan. rice field.
intrusion set, dubbed paper bug The attack by Swiss cybersecurity firm PRODAFT nomadic octopus (aka Dust Squad).
“The types of machines compromised ranged from personal computers to [operational technology] In a detailed technical report shared with The Hacker News, PRODAFT said:
The ultimate motive behind the attack is unknown at this stage, but the cybersecurity firm has raised the possibility that it was the work of domestic opposition forces or an intelligence gathering mission by Russia or China. I’m here.
Nomadic Octopus first came to light in October 2018, when ESET and Kaspersky detailed a series of phishing attacks carried out by the actor against several Central Asian countries. The group is believed to have been active since at least 2014.
Cyberattacks have included using custom Android and Windows malware to attack high-value organizations such as local governments, diplomatic missions, and political bloggers, and suggesting that attackers are involved in cybersurveillance activities. are more likely to be.
Disguised as an alternate version of the Telegram messaging app, this Windows malware, dubbed Octopus, is a Delphi-based tool that allows attackers to monitor victims, siphon sensitive data, and gain backdoor access to systems via command-and-pass. to be able to obtain Control (C2) panel.
A subsequent analysis by Gcow Security in December 2019 revealed that the Advanced Persistent Threat (APT) group’s attack against the Uzbekistan Ministry of Foreign Affairs was aimed at deploying Octopus.
PRODAFT’s findings are the result of the discovery of an operational environment managed by Nomadic Octopus since 2020, making Paperbug the first campaign orchestrated by the group since Octopus.
Data collected by the company shows that after successfully gaining access to a telecom company’s network, the threat actor spread laterally to more than 10 targets focused on government networks, executives, and OT devices with known vulnerabilities. moved. It is not known exactly when and how the communication network was compromised.
“Operation PaperBug is consistent with a general trend of attacks on Central Asian government infrastructure that has become more pronounced in recent times,” PRODAFT said.
Nomadic Octopus is believed to exhibit some level of affiliation with another Russian state actor known as Sofacy (aka APT28, Fancy Bear, Forest Blizzard, or FROZENLAKE), based on overlapping victimization theories. .
The latest attacks also used Octopus variants with the ability to take screenshots, execute commands remotely, download and upload files to and from infected hosts to remote servers. . His one such artifact was uploaded to VirusTotal on his April 1, 2021.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Save my seat!
A closer look at the command and control (C2) servers revealed that the group had successfully backdoored a total of 499 systems as of January 27, 2022. Among them were government network devices, gas stations, and cash registers.
However, the group does not appear to possess an advanced toolset, and despite the high risk of the attack, does not appear to be very interested in hiding traces of the victim’s machine.
“When operating on a compromised machine to steal information, we sometimes inadvertently displayed permission pop-ups on the victim’s computer, resulting in arousal of suspicion by the victim,” the company said. pointed out. “But this was resolved as the group diligently named the files they transferred as harmless and unobtrusive programs.”
The same tactic extends to naming their malicious tools. The group flies under the radar by masquerading as popular web browsers such as Google Chrome, Mozilla Firefox and Yandex.
That said, Paperbug’s attack chain is largely characterized by the use of common attack tools and common techniques, effectively acting as a “hide” for the group and making attribution more difficult. .
“This imbalance between operator skill and mission importance may indicate that the operator was recruited by some entity that provided a list of commands that had to be executed precisely on each machine. There is,” PRODAFT said, adding, “Operators are forced to create a checklist and stick to it.”
