SAN FRANCISCO — Links between threat group Tomiris and the advanced persistent threat (APT) group Nobelium, believed behind the notorious SolarWinds attack, are going cold. Research spotlighting new malicious campaigns by Tomiris now lead experts to believe that the two are not linked.
The insights come as a relief to those worried that we may not have heard the last from Nobelium (aka DarkHalo/APT29), the APT behind the sprawling SolarWinds supply chain attacks of 2020. In 2021, researchers at Kaspersky reported that Tomiris threat actors were using malware dubbed Sunshuttle, which had links to Nobelium and another threat group name Trula. Subsequent researcher linked the three APTs (Tomiris, Trula and Nobelium) primarily via the use of the malware.
“While our initial blog post introducing Tomiris noted similarities with malware used in the SolarWinds incident, we continued to track the two sets of activity separately,” according to a Kaspersky report released at the RSA Conference on Monday.
A fresh analysis of recent APT attacks by Tomiris in Central Asia by Kaspersky revealed the APT has been deploying KopiLuwak and TunnusSched malware toolkits. Their findings complimented previous research.
“On January 5, 2023, Mandiant released a blog post describing attacks against Ukrainian entities that they attributed to Turla,” Kaspersky wrote. While Mandiant’s analysis of KopiLuwak and TunnusSched led them to link Tomiris’ activity to Turla, Kaspersky believes the data culled from this latest campaign suggests Tomiris has no direct ties to Turla.
Click here for all of SC Media's coverage from the RSA Conference 2023
“What makes the most recent Tomiris operations notable is that they appeared to leverage KopiLuwak and TunnusSched malware, which were previously connected to Turla. However, despite sharing this toolkit, Kaspersky’s latest research explains that Turla and Tomiris are very likely separate actors that could be exchanging tradecraft,” Kaspersky wrote.
Similarities between Tomiris and Trula include they are both Russian-speaking and they have both used crimeware called KopiLuwak. What sets them apart is Tomiris’ lack of stealth, targeting and tradecraft are “significantly” at odds with Trula. Campaigns and tools originally linked to Turla may need to be reevaluated, Kaspersky said.
“Our research shows that the use of KopiLuwak or TunnusSched is now insufficient to link cyberattacks to Turla,” said Pierre Delcher, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). “To the best of our knowledge, this toolset is currently leveraged by Tomiris, which we strongly believe is distinct from Turla — although both actors likely cooperated at some point.”
New Tomiris campaigns
Kaspersky says recent campaigns have been ongoing through 2021 and 2023. The Tomiris APT is focused on intelligence gathering primarily in Central Asia, but also Southeast Asia and the Middle East.
“Tomiris is a very agile and determined actor, open to experimentation — for instance with delivery methods (DNS hijacking) or command and control (C2) channels (Telegram),” Kaspersky wrote.
Toolsets used by the threat actors include downloaders, backdoors and file stealing tools to exfiltrate documents to the C2. Malware leveraged include JLOGRAB (file stealer), JLORAT (backdoor) and Tomiris .NET (downloader). Toolsets KopiLuwak and TunnusSched, also used in recent campaigns, have links to APT group Turla.
“Telemiris is used as a first-stage implant that operators use to deploy other tools such as Roopy, JLORAT, or even the legitimate WinSCP binary, to further exfiltrate files,” Kaspersky wrote.
In its post, Kaspersky concluded by acknowledging APT threat research can often be a moving target.
“In the grander scheme of things, this investigation reveals the pitfalls that the information security industry faces when working on cyberattacks. We rely on a knowledge pool generously shared among all participants, yet information decays: what is true today may turn out to be wrong tomorrow. Discovering new, reliable data isn’t enough; existing assumptions also need to be substantiated — which can only happen when vendors publish data. In that spirit, we kindly thank Mandiant for the research they published.”
