A Russian espionage group, named as Nomadic Octopus, has spied on high-ranking Government officials, Public Servants and telecom services in Tajikistan, according to cyber threat intelligence company, Prodaft.
Entry was likely gained by infiltrating a mobile phone carrier, the company said.
“Also referred to as DustSquad, Nomadic Octopus is known for the targeting of individuals and diplomatic entities in Central Asia, mainly in Afghanistan and former Soviet Union countries,” Prodaft said.
“Dubbed Paperbug, Nomadic Octopus’ Tajikistani campaign has been ongoing since 2020, resulting in the compromise of Government networks, individual computers, and operational technology (OT) devices, such as gas station systems.”
It said as part of its Paperbug campaign, Nomadic Octopus would periodically steal emails, documents, and messaging application chat histories, but would also spy on victims in real time, taking screenshots when they were writing emails or creating new contracts.
“Access to victims was obtained through the compromised networks of a Tajikistan-based telecom company,” the company said.
“The threat actor has continued to harvest information from the carrier since November 2020.
“It is determined that the Paperbug operation started in this firm’s network then expanded its access through document theft, stolen clients’ contracts and credentials, weak network security configurations and exploitation of not up-to-date software and services.”
It said Nomadic Octopus used multiple servers to manage the back-doors and tools deployed as part of the campaign. The back-doors allowed the attackers to execute various commands on the victims’ machines.
The attackers named their tools in a manner meant to hide the activity, including Google Update, Chrome Update, Java Update, and Google Crash Handler.
“It is clear to see that Nomadic Octopus is actively searching for OT devices, Government networks and officers and public service infrastructures,” Prodaft said.
“These targets enable them to gather closed confidential sources and surveillance on Tajikistan and its people.”
Dushanbe, 1 May 2023