Tajikistani carrier hacked by Russia-linked Nomadic Octopus APT
The hacking group, also known as DustSquad, has been active since 2014 and targets Central Asia and former Soviet Union countries.
A Russia-linked cyberespionage group Nomadic Octopus APT hacked a Tajikistani telecoms provider to spy on 18 entities, including high-ranking government officials, telecommunications services, and public service infrastructures.
The group compromised a broad range of devices, from individuals’ computers to OT devices, as part of an operation entitled Paperbug.
As per a report on the incident by Prodraft, a cyber threat intelligence company, the Nomadic Octopus had been spying on the carrier since November 2020. In this attack, the Nomadic Octopus group used multiple servers as C2 for its backdoors and tools. The attacker used public offensive tools, which makes attribution to an actor hard. The tools were downloaded onto the victim’s systems during the victim’s active hours. These tools were placed into commonly unchecked directories, and legitimate file names such as Google Update, Chrome Update, Java Update, etc. were used so as to not cause suspicion. The report notes the attacker used alternatives if the preferred tool failed, and in some cases, the attacker forgot to change names when trying alternative tools, thus raising suspicion.
Prodraft also noted that the increase in attacks in Central Asia by state-sponsored Russian-speaking
threat actors may indicate the group’s possible connections to other state-sponsored threat actors.