Russian cyber espionage group Nomadic Octopus (aka DustSquad) has hacked a Tajikistani telecoms provider to spy on 18 entities, including high-ranking government officials, telecommunication services, and public service infrastructures.
The cyberspies compromised a broad range of devices, from individuals’ computers to OT devices, as part of an operation tracked as Paperbug.
The Nomadic Octopus APT has been active since at least 2014, it focuses on entities in Central Asia and former Soviet Union countries. In April 2018, Kaspersky researchers discovered a new Octopus sample developed to target Windows systems, the malicious code had been disguised as a Russian version of the Telegram app used by the Democratic Choice (DVK) opposition party in Kazakhstan.
“The initial step that led to the compromising of other victims very likely was the infiltration of the XXXXXXX network, even though the initial access time to XXXXXXX and how it was infiltrated is uncertain.” reads the report published by cyber threat intelligence firm Prodaft. “According to the frequency of screenshots being taken by Nomadic Octopus especially while targeted victims were writing e-mails and creating new contracts of their customers, the group spied on devices and took their notes diligently.”
According to the researchers, the techniques, tactics, and procedures (TTPs) observed in Operation PaperBug align with the attack pattern associated with Russia-linked threat actors like the Sofacy APT.
The Nomadic Octopus threat actor has continued to spy on the carrier since November 2020.
The researchers noticed that in some cases the state-sponsored hackers failed to stay stealthy in the compromised systems. They sometimes inadvertently caused permission pop-ups on the victim systems.
The Nomadic Octopus group used multiple servers as C2 for its backdoors and tools in the Paperbug campaign. The Octopus malware employed in the campaign supports the following capabilities:
“Everything seems to be same with the Octopus malware’s network module except the communication technique and website used as an upload service. The new sample sends data in XML format using HTTP POST requests while Octopus malware’s network module was using HTTP GET requests without XML parsing.” continues th report.
The group mainly employed public offensive tools, the operators run commands and download their tools on victim systems inattentively, for example during the victim’s active hours. The use of public tools makes attribution very hard.
The attackers placed their tools into commonly unchecked directories and used named them to appear as legitimate files, such as Google Update, Chrome Update, Java Update, and Google Crash Handler.
Most of the time, operators change tools’ names to more generic programs to avoid raising suspicion while requiring firewall permissions or additional privileges.
According to the report, sometimes the operator tried alternatives if the preferred tool failed. The experts noticed that in some cases, the operators have forgotten to change names when trying alternative tools, thus raising suspicion.
“Although the entire target list is unknown, The group may initiate other campaigns towards to geographically and politically close to Tajikistan. Used language (Russian) in command and control panel is very common in the close geographical area. Thus, it can also hint the group’s origin and interested and favored territories.” Prodaft concludes. “Proactive detection strategies are critical for overcoming fast-moving threats like this operation.”
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Nomadic Octopus)