Thursday, June 1, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

Russian APT Hacked Tajikistani Carrier to Spy on Government, Public Services

Researcher by Researcher
April 30, 2023
in Cybersecurity
0
Sentra Raises $30 Million for DSPM Technology
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


A Russian espionage group tracked as Nomadic Octopus has been observed spying on Tajikistan’s high ranking government officials, public service infrastructures, and telecoms services, likely by infiltrating a mobile phone carrier, cyber threat intelligence company Prodaft reports.

Active since at least 2014 and also referred to as DustSquad, Nomadic Octopus is known for the targeting of individuals and diplomatic entities in Central Asia, mainly in Afghanistan and former Soviet Union countries.

In 2018, the advanced persistent threat (APT) actor was seen targeting the Democratic Choice (DVK) opposition party in Kazakhstan with the Octopus trojan, disguised as the Telegram messaging application.

Dubbed Paperbug (PDF), Nomadic Octopus’ Tajikistani campaign has been ongoing since 2020, resulting in the compromise of government networks, individual computers, and operational technology (OT) devices, such as gas station systems.

However, the group was seen removing access to victims that were not deemed valuable and which were unrelated to government infrastructure or public services.

As part of the Paperbug campaign, the APT would periodically steal emails, documents, and messaging application chat histories, but would also spy on victims in real time, taking screenshots when they were writing emails or creating new contracts.

The group was seen writing notes in Russian about the compromised devices and their owners, who were mainly government entities, but also maintaining connections to compromised OT devices, which were typically categorized based on the victim’s value.

Access to victims, Prodaft says, was obtained through the compromised networks of a Tajikistan-based telecom company. The threat actor has continued to harvest information from the carrier since November 2020.

“It is determined that the Paperbug operation started in this firm’s network then expanded their access through document theft, stolen clients’ contracts and credentials, weak network security configurations and exploitation of not up-to-date software and services,” Prodaft explains.

Nomadic Octopus used multiple servers to manage the backdoors and tools deployed as part of the campaign, including malware that shows similarities to the previously analyzed Octopus. The backdoors allowed the attackers to execute various commands on the victims’ machines.

However, the campaign was mostly characterized by the use of public offensive tools, some deployed inattentively, even during the victim’s active hours. However, the attackers named their tools in a manner meant to hide the activity, including Google Update, Chrome Update, Java Update, and Google Crash Handler.

Despite the stakes of the campaign, however, the operators appeared to be low-skilled, which led Prodaft to the conclusion that they were given a “list of commands that need to be executed on each machine exactly”.

“This is further supported by the obstinate behavior of, trying to execute some commands even though it is clear beforehand that they will fail, thus meaning that the operator follows a checklist and forced to stick to it,” Prodaft notes.

When needed, the operators would change tools’ names to more generic programs, to obtain firewall permissions or additional privileges. In some cases, however, the operators would forget to change names when trying alternative tools, thus raising suspicion.

“The group usually does not know which device they gained access to. From how Nomadic Octopus group eliminates or keeps connection decision, it is clear to see that Nomadic Octopus is actively searching for OT devices, government networks and officers and public service infrastructures. These targets enable them to gather closed confidential sources and surveillance on Tajikistan and its people,” Prodaft notes.

Related: Kaspersky Analyzes Links Between Russian State-Sponsored APTs

Related: UK Warns of Russian Hackers Targeting Critical Infrastructure

Related: US, UK: Russia Exploiting Old Vulnerability to Hack Cisco Routers



Source link

Related articles

Spring Framework Flaw Exploited in Mirai Malware Attacks

Threat Actors Exploit Critical Zyxel Flaw in Botnet Attacks

June 1, 2023
Cisco Acquiring Armorblox for Predictive and Generative AI Technology

Cisco Acquiring Armorblox for Predictive and Generative AI Technology

June 1, 2023
Tags: APTCarrierGovernmentHackedpublicRussianservicesspyTajikistani
Share76Tweet47

Related Posts

Spring Framework Flaw Exploited in Mirai Malware Attacks

Threat Actors Exploit Critical Zyxel Flaw in Botnet Attacks

June 1, 2023
0

Threat actors are exploiting a critical-severity Zyxel flaw in order to add vulnerable devices to a Mirai botnet variant. While...

Cisco Acquiring Armorblox for Predictive and Generative AI Technology

Cisco Acquiring Armorblox for Predictive and Generative AI Technology

June 1, 2023
0

Cisco on Wednesday announced that it’s acquiring California-based cybersecurity firm Armorblox for its artificial intelligence (AI) technology. Armorblox specializes in...

8 best practices for securing your Mac from hackers in 2023

8 best practices for securing your Mac from hackers in 2023

June 1, 2023
0

Best practices for securing your Mac against potential hacks and security vulnerabilities include enabling the firewall, using strong passwords and...

ZuoRAT Malware Found Hitting Home Routers

New SeroXen RAT Emerges | Decipher

June 1, 2023
0

Security researchers are tracking a new fileless RAT named SeroXen that has the capability to evade many EDR systems and...

Sentra Raises $30 Million for DSPM Technology

Chrome 114 Released With 18 Security Fixes

May 31, 2023
0

Google this week announced the release of Chrome 114 to the stable channel with a total of 18 security fixes...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
Spring Framework Flaw Exploited in Mirai Malware Attacks

Threat Actors Exploit Critical Zyxel Flaw in Botnet Attacks

June 1, 2023
All eyes on APIs: Top 3 API security risks and how to mitigate them

All eyes on APIs: Top 3 API security risks and how to mitigate them

June 1, 2023
Cisco Acquiring Armorblox for Predictive and Generative AI Technology

Cisco Acquiring Armorblox for Predictive and Generative AI Technology

June 1, 2023
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup /

June 1, 2023

Recent Posts

Spring Framework Flaw Exploited in Mirai Malware Attacks

Threat Actors Exploit Critical Zyxel Flaw in Botnet Attacks

June 1, 2023
All eyes on APIs: Top 3 API security risks and how to mitigate them

All eyes on APIs: Top 3 API security risks and how to mitigate them

June 1, 2023
Cisco Acquiring Armorblox for Predictive and Generative AI Technology

Cisco Acquiring Armorblox for Predictive and Generative AI Technology

June 1, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches Payments platform Ransomware RoundUp security Software Stories TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved