A Russian espionage group tracked as Nomadic Octopus has been observed spying on Tajikistan’s high ranking government officials, public service infrastructures, and telecoms services, likely by infiltrating a mobile phone carrier, cyber threat intelligence company Prodaft reports.
Active since at least 2014 and also referred to as DustSquad, Nomadic Octopus is known for the targeting of individuals and diplomatic entities in Central Asia, mainly in Afghanistan and former Soviet Union countries.
In 2018, the advanced persistent threat (APT) actor was seen targeting the Democratic Choice (DVK) opposition party in Kazakhstan with the Octopus trojan, disguised as the Telegram messaging application.
Dubbed Paperbug (PDF), Nomadic Octopus’ Tajikistani campaign has been ongoing since 2020, resulting in the compromise of government networks, individual computers, and operational technology (OT) devices, such as gas station systems.
However, the group was seen removing access to victims that were not deemed valuable and which were unrelated to government infrastructure or public services.
As part of the Paperbug campaign, the APT would periodically steal emails, documents, and messaging application chat histories, but would also spy on victims in real time, taking screenshots when they were writing emails or creating new contracts.
The group was seen writing notes in Russian about the compromised devices and their owners, who were mainly government entities, but also maintaining connections to compromised OT devices, which were typically categorized based on the victim’s value.
Access to victims, Prodaft says, was obtained through the compromised networks of a Tajikistan-based telecom company. The threat actor has continued to harvest information from the carrier since November 2020.
“It is determined that the Paperbug operation started in this firm’s network then expanded their access through document theft, stolen clients’ contracts and credentials, weak network security configurations and exploitation of not up-to-date software and services,” Prodaft explains.
Nomadic Octopus used multiple servers to manage the backdoors and tools deployed as part of the campaign, including malware that shows similarities to the previously analyzed Octopus. The backdoors allowed the attackers to execute various commands on the victims’ machines.
However, the campaign was mostly characterized by the use of public offensive tools, some deployed inattentively, even during the victim’s active hours. However, the attackers named their tools in a manner meant to hide the activity, including Google Update, Chrome Update, Java Update, and Google Crash Handler.
Despite the stakes of the campaign, however, the operators appeared to be low-skilled, which led Prodaft to the conclusion that they were given a “list of commands that need to be executed on each machine exactly”.
“This is further supported by the obstinate behavior of, trying to execute some commands even though it is clear beforehand that they will fail, thus meaning that the operator follows a checklist and forced to stick to it,” Prodaft notes.
When needed, the operators would change tools’ names to more generic programs, to obtain firewall permissions or additional privileges. In some cases, however, the operators would forget to change names when trying alternative tools, thus raising suspicion.
“The group usually does not know which device they gained access to. From how Nomadic Octopus group eliminates or keeps connection decision, it is clear to see that Nomadic Octopus is actively searching for OT devices, government networks and officers and public service infrastructures. These targets enable them to gather closed confidential sources and surveillance on Tajikistan and its people,” Prodaft notes.