Tomiris and Turla APT Groups Collaborate to Target Government Entities

Written by

The advanced persistent group (APT) known as Tomiris has been observed deploying KopiLuwak and TunnusSched malware, attack tools previously linked to another APT group named Turla.

Security experts at Kaspersky shared the findings in an advisory published earlier today, where they analyzed Tomiris’s latest campaigns in central Asia.

“Tomiris’s endgame consistently appears to be the regular theft of internal documents,” wrote Kaspersky senior security researchers Pierre Delcher and Ivan Kwiatkowski.

“The threat actor targets government and diplomatic entities in the CIS [Commonwealth of Independent States]. The occasional victims discovered in other regions (such as the Middle East or South-East Asia) turn out to be foreign representations of CIS countries, illustrating Tomiris’s narrow focus.”

Kaspersky added that the observed attacks relied on several low-sophistication “burner” implants in different programming languages consistently deployed against the same targets, using basic but efficient packaging and distribution techniques. Tomiris also occasionally relied on commercial or open-source RATs.

Attack vectors included spear-phishing emails with malicious content attached, such as password-protected archives, malicious documents and weaponized LNKs. Tomiris also relied on DNS hijacking, exploitation of vulnerabilities (specifically ProxyLogon) and suspected drive-by downloads.

Read more on ProxyLogon here: Tick APT Group Hacked East Asian DLP Software Firm

Delcher and Kwiatkowski highlighted that language artifacts found in Tomiris’s implant families and infrastructure from different campaigns indicated that the APT was Russian speaking. 

“We are convinced that despite possible ties between the two groups, Turla and Tomiris are separate actors,” Kaspersky explained.

“Tomiris [like Turla] is undoubtedly Russian-speaking, but its targeting and tradecraft are significantly at odds with what we have observed for Turla. In addition, Tomiris’s general approach to intrusion and limited interest in stealth are significantly at odds with documented Turla tradecraft.”

Still, the shared deployment of KopiLuwak and TunnusSched malware tools indicates that more actors could access them.

“Looking at tactics and malware samples only gets us so far, and we are often reminded that threat actors are subject to organizational and political constraints,” reads the advisory. “This investigation illustrates the limits of technical attribution that we can only overcome through intelligence sharing.”

The Kaspersky advisory comes a few months after the Russian government banned several foreign messaging apps.

What’s hot on Infosecurity Magazine?