An obscure cyber-espionage group that communicates in Russian has been associated with a novel politically-driven surveillance operation aimed at top government officials, telecommunications services, and public infrastructure in Tajikistan.
Swiss cybersecurity firm PRODAFT has attributed the recent intrusion set to a group known as Nomadic Octopus or DustSquad. This group has been identified as responsible for the Paperbug attack.
This statement highlights the broad scope of the Paperbug attack, which targets not only individuals’ computers but also operational technology devices. The attackers use intelligence-driven methods to identify their targets and gather sensitive information, making it all the more important for individuals and organizations to take necessary precautions to protect themselves from this evolving threat.
It is concerning that the motive behind the paperbug attacks targeting Tajikistan politicians is unclear. The involvement of opposition forces or foreign intelligence agencies raises questions about the political climate in the country and the potential impact of these attacks on national security. It is essential for individuals and organizations to remain vigilant and take appropriate steps to protect their information and systems against cyber threats, particularly in regions where political tensions are high.
In October 2018, ESET and Kaspersky reported on a series of phishing attacks that had been carried out by the Nomadic Octopus group against various countries in Central Asia. The group is believed to have been operational since 2014, at the latest.
Custom malware for Android and Windows has been employed in cyber attacks targeting high-value entities, including local governments, diplomatic missions, and political bloggers. This suggests that the threat actor is likely engaging in cyber surveillance operations.
Octopus, a Windows malware that posed as a modified version of the Telegram messaging application, is a tool developed in Delphi programming language that enables the attacker to conduct surveillance on targets, exfiltrate sensitive data, and establish unauthorized access to their systems by communicating through a command-and-control (C2) dashboard.
In December 2019, Gcow Security conducted a further examination, revealing that the Ministry of Foreign Affairs of Uzbekistan was targeted by an advanced persistent threat (APT) group to launch Octopus.
PRODAFT has uncovered an operational environment that has been under the management of Nomadic Octopus since 2020. The discovery reveals that Paperbug is the group’s first campaign since Octopus.
The company collected data indicating that the threat actor infiltrated a telecommunications company’s network and then proceeded to breach over a dozen targets, including government networks, executives, and operational technology (OT) devices with known vulnerabilities. It remains unclear how and when the telecommunications network was initially accessed.
PRODAFT observed that Operation Paperbug is consistent with the growing trend of targeting government infrastructure in Central Asia.
Based on victimology overlaps, it is believed that Nomadic Octopus may have engaged in some form of collaboration with Sofacy (also known as APT28, Fancy Bear, Forest Blizzard, or FROZENLAKE), a Russian nation-state actor.
The recent attacks involved a variant of Octopus that has the capability to capture screenshots, remotely execute commands, and transfer files to and from the infected host to a remote server. One such artifact was uploaded to VirusTotal on April 1, 2021.
Upon examining the command-and-control (C2) server, it was discovered that the group was able to backdoor a total of 499 systems as of January 27, 2022. Among the systems breached were government network devices, gas stations, and a cash register.
Despite the high stakes of the attacks, the group does not appear to have sophisticated toolsets or be overly concerned with obscuring their tracks on the machines of their victims.
The company observed that while the threat actors were stealing information from compromised machines, they occasionally triggered permission pop-ups on the victim’s computer, which raised suspicion. However, the group effectively addressed this issue by giving the files they transferred benign and inconspicuous names.
The group employs a similar tactic when it comes to naming their malicious tools. They camouflage their tools as commonly-used web browsers, including Google Chrome, Mozilla Firefox, and Yandex, in an attempt to remain undetected.
Despite this, the paperbug attack chains are primarily identified by utilizing commonly available offensive tools and generic methods, serving as a “disguise” for the group and complicating the process of attribution.
PRODAFT noted that there appears to be a mismatch between the operators’ skills and the criticality of the mission, which suggests that the operators may have been enlisted by a third-party organization that provided them with a set of precise commands to execute on each machine. In this scenario, the operator would be obligated to follow a strict checklist, leaving little room for deviation from the prescribed protocol.
In conclusion, protecting against paperbug attacks is crucial to safeguarding sensitive information, particularly for individuals in positions of power and influence. While being vigilant and taking necessary precautions can go a long way in reducing the risk of falling prey to these attacks, it is always wise to consider additional measures to enhance security. One such measure is the use of encrypted mobile phones, which can provide an extra layer of protection against unauthorized access to sensitive data. By utilizing these tools, individuals can reduce the risk of data breaches and keep their personal and professional information secure.