Russian Hackers

The Russian-speaking threat actor behind a backdoor known as Tomiris is primarily focused on gathering intelligence in Central Asia, fresh findings from Kaspersky reveal.

"Tomiris's endgame consistently appears to be the regular theft of internal documents," security researchers Pierre Delcher and Ivan Kwiatkowski said in an analysis published today. "The threat actor targets government and diplomatic entities in the CIS."

The Russian cybersecurity firm's latest assessment is based on three new attack campaigns mounted by the hacking crew between 2021 and 2023.

Tomiris first came to light in September 2021 when Kaspersky highlighted its potential connections to Nobelium (aka APT29, Cozy Bear, or Midnight Blizzard), the Russian nation-state group behind the SolarWinds supply chain attack.

Cybersecurity

Similarities have also been unearthed between the backdoor and another malware strain dubbed Kazuar, which is attributed to the Turla group (aka Krypton, Secret Blizzard, Venomous Bear, or Uroburos).

Spear-phishing attacks mounted by the group have leveraged a "polyglot toolset" comprising a variety of low-sophistication "burner" implants that are coded in different programming languages and repeatedly deployed against the same targets.

Russian Hackers

Besides using open source or commercially available offensive tools like RATel and Warzone RAT (aka Ave Maria), the custom malware arsenal used by the group falls into one of the three categories: downloaders, backdoors, and information stealers -

  • Telemiris - A Python backdoor that uses Telegram as a command-and-control (C2) channel.
  • Roopy - A Pascal-based file stealer that's designed to hoover files of interest every 40-80 minutes and exfiltrate them to a remote server.
  • JLORAT - A file stealer written in Rust that gathers system information, runs commands issued by the C2 server, upload and download files, and capture screenshots.

Kaspersky's investigation of the attacks has further identified overlaps with a Turla cluster tracked by Google-owned Mandiant under the name UNC4210, uncovering that the QUIETCANARY (aka TunnusSched) implant had been deployed against a government target in the CIS by means of Telemiris.

"More precisely, on September 13, 2022, around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris: first a Python Meterpreter loader, then JLORAT and Roopy," the researchers explained.

Cybersecurity

"These efforts were thwarted by security products, which led the attacker to make repeated attempts, from various locations on the filesystem. All these attempts ended in failure. After a one-hour pause, the operator tried again at 07:19 UTC, this time using a TunnusSched/QUIETCANARY sample. The TunnusSched sample was blocked as well."

That said, despite the potential ties between the two groups, Tomiris is said to be separate from Turla owing to differences in their targeting and tradecrafts, once again raising the possibility of a false flag operation.

On the other hand, it's also highly probable that Turla and Tomiris collaborate on select operations or that both the actors rely on a common software provider, as exemplified by Russian military intelligence agencies' use of tools supplied by a Moscow-based IT contractor named NTC Vulkan.

"Overall, Tomiris is a very agile and determined actor, open to experimentation," the researchers said, adding "there exists a form of deliberate cooperation between Tomiris and Turla."

Update

In a report published on December 4, 2024, the Microsoft Threat Intelligence team attributed the Tomiris backdoor to a Kazakhstan-based threat actor it tracks as Storm-0473. For more details, please check here.

(The story was updated after publication on December 4, 2024, to reflect the change in threat actor attribution.)


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.