A relatively unknown cyber espionage group called Paperbug, also known as Nomadic Octopus, has been linked to a politically motivated surveillance campaign that targeted high-ranking government officials, telecom services, and public service infrastructures in Tajikistan.
Swiss cybersecurity firm PRODAFT attributed the intrusion set to Nomadic Octopus, and its report indicates that the group has been active since at least 2014. Although it is unclear what the motive behind the attacks is, PRODAFT suggested that the attacks could be the work of opposition forces within the country or an intelligence-gathering mission carried out by Russia or China.
The attack is intelligence-driven, and the group used custom Android and Windows malware to target a mix of high-value entities like local governments, diplomatic missions, and political bloggers.
The Windows malware, called Octopus, masqueraded as an alternative version of the Telegram messaging app and is a Delphi-based tool that allows the adversary to surveil victims, siphon sensitive data, and gain backdoor access to their systems via a command-and-control (C2) panel.
Paperbug is the first campaign orchestrated by Nomadic Octopus since Octopus.
The latest attacks entailed the use of an Octopus variant that comes with features to take screenshots, run commands remotely, and download and upload files to and from the infected host to a remote server.
The group managed to successfully backdoor a total of 499 systems, including government network devices, gas stations, and a cash register, and is believed to have some level of cooperation with another Russian nation-state actor known as Sofacy.
Despite the high-stakes nature of the attacks, the group does not seem to possess advanced toolsets or be too concerned about covering their tracks on victim machines.
The group’s attack chains are largely characterized by the use of public offensive tools and generic techniques, effectively acting as a “cloak” for the group and making attribution a lot more challenging.
The report suggests that this imbalance between the operator skills and the importance of the mission might indicate that the operators have been recruited by some entity which provided them a list of commands that need to be executed on each machine. As a result, the operator follows a checklist and is forced to stick to it.
