Kaspersky investigates Tomiris APT group targeting government entities in CIS

Kaspersky has released a new investigation on Tomiris APT group that focuses on intelligence gathering in Central Asia. This Russian-speaking actor uses a wide variety of malware implants developed at a rapid pace and in all programming languages imaginable, presumably in order to obstruct attribution. What drew the researchers’ special attention is that Tomiris deploys malware that was previously linked to Turla, another notorious APT group.

Kaspersky first publicly described Tomiris in September 2021, following the investigation of a DNS-hijack against a government organization in the Commonwealth of Independent States (CIS). Back then, the researchers had noted inconclusive similarities with the SolarWinds incident. They continued to track Tomiris as a separate threat actor over several new attack campaigns between 2021 and 2023, and Kaspersky’s telemetry allowed to shed light on the group’s toolset and its possible connection to Turla.

The threat actor targets government and diplomatic entities in the CIS with the final aim to steal internal documents. The occasional victims discovered in other regions (such as the Middle East or South-East Asia) turn out to be foreign representations of CIS countries, illustrating Tomiris’s narrow focus.

Tomiris goes after its victims using a wide variety of attack vectors: spear-phishing emails with malicious content attached (password-protected archives, malicious documents, weaponized LNKs), DNS hijacking, exploitation of vulnerabilities (specifically ProxyLogon), suspected drive-by downloads and other “creative” methods.

Relationships between Tomiris tools. Arrows indicate a distribution link (parent distributed, downloaded or contained child)

What makes most recent Tomiris’ operations special is that, with medium-to-high confidence, they leveraged KopiLuwak and TunnusSched malware that were previously connected to Turla. However, despite sharing this toolkit, Kaspersky’s latest research explains that Turla and Tomiris are very likely separate actors that could be exchanging tradecraft.

Tomiris is undoubtedly Russian-speaking, but its targeting and tradecrafts are significantly at odds with what has been observed for Turla. In addition, Tomiris’s general approach to intrusion and limited interest in stealth do not match documented Turla tradecraft. However, Kaspersky’s researchers believe that tools sharing is a potential proof of some cooperation between Tomiris and Turla, the extent of which is difficult to assess. In any case, depending on when Tomiris started using KopiLuwak, a number of campaigns and tools believed to be linked to Turla may in fact need to be re-evaluated.

“Our research shows that the use of KopiLuwak or TunnusSched is now insufficient to link cyberattacks to Turla. To the best of our knowledge, this toolset is currently leveraged by Tomiris, which we strongly believe is distinct from Turla – although both actors likely cooperated at some point. Looking at tactics and malware samples only gets us so far, and we are often reminded that threat actors are subject to organizational and political constraints. This investigation illustrates the limits of technical attribution, that we can only overcome through intelligence sharing.” comments Pierre Delcher, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).