SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Kaspersky shares latest details about malicious APT threat actor

Kaspersky has released a new investigation on Tomiris APT group that focuses on intelligence gathering in Central Asia.

This Russian-speaking actor uses a wide variety of malware implants developed at a rapid pace and in all programming languages imaginable, presumably in order to obstruct attribution, Kaspersky states. What drew the researchers special attention is that Tomiris' deploys malware that was previously linked to Turla, another notorious APT group.

Kaspersky first publicly described Tomiris in September 2021, following the investigation of a DNS-hijack against a government organisation in the Commonwealth of Independent States (CIS).

Back then, the researchers had noted inconclusive similarities with the SolarWinds incident. They continued to track Tomiris as a separate threat actor over several new attack campaigns between 2021 and 2023, and Kaspersky's telemetry allowed to shed light on the groups toolset and its possible connection to Turla.

The threat actor targets government and diplomatic entities in the CIS with the final aim to steal internal documents. The occasional victims discovered in other regions (such as the Middle East or South-East Asia) turn out to be foreign representations of CIS countries, illustrating Tomiris' narrow focus.

As revealed by Kaspersky, Tomiris goes after its victims using a wide variety of attack vectors: spear-phishing emails with malicious content attached (password-protected archives, malicious documents, weaponized LNKs), DNS hijacking, exploitation of vulnerabilities (specifically ProxyLogon), suspected drive-by downloads and other creative methods.

According to Kaspersky, what makes most recent Tomiris operations special is that, with medium-to-high confidence, they leveraged KopiLuwak and TunnusSched malware that were previously connected to Turla. However, despite sharing this toolkit, Kaspersky's latest research explains that Turla and Tomiris are very likely separate actors that could be exchanging tradecraft.

Tomiris is undoubtedly Russian-speaking, but its targeting and tradecrafts are significantly at odds with what has been observed for Turla. In addition, Tomiris' general approach to intrusion and limited interest in stealth do not match documented Turla tradecraft. Even so, Kaspersky's researchers believe that tools sharing is a potential proof of some cooperation between Tomiris and Turla, the extent of which is difficult to assess. In any case, depending on when Tomiris started using KopiLuwak, a number of campaigns and tools believed to be linked to Turla may in fact need to be re-evaluated.

Pierre Delcher, Senior Security Researcher at Kaspersky's Global Research and Analysis Team (GReAT), says, "Our research shows that the use of KopiLuwak or TunnusSched is now insufficient to link cyberattacks to Turla. To the best of our knowledge, this toolset is currently leveraged by Tomiris, which we strongly believe is distinct from Turla although both actors likely cooperated at some point.

"Looking at tactics and malware samples only gets us so far, and we are often reminded that threat actors are subject to organisational and political constraints. This investigation illustrates the limits of technical attribution, that we can only overcome through intelligence sharing."

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Provide your SOC team with access to the latest threat intelligence (TI). 
  • Upskill your cybersecurity team to tackle the latest targeted threats with online training.
  • For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage.
  • As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team for example.
Follow us on: