Kaspersky has published new findings on the Russian-speaking threat actor behind a backdoor known as Tomiris. The researchers found that the group is primarily focused on gathering intelligence in Central Asia and regularly steals internal documents from government and diplomatic entities in the CIS.
This latest assessment is based on three new attack campaigns mounted by the group between 2021 and 2023.
Furthermore, the group uses a “polyglot toolset” comprising a variety of low-sophistication “burner” implants that are coded in different programming languages and repeatedly deployed against the same targets. The custom malware arsenal used by the group falls into one of three categories: downloaders, backdoors, and information stealers. Kaspersky’s investigation of the attacks has further identified overlaps with a Turla cluster tracked by Google-owned Mandiant under the name UNC4210.
Despite the potential ties between the two groups, Tomiris is said to be separate from Turla owing to differences in their targeting and tradecrafts.
However, it is also highly probable that Turla and Tomiris collaborate on select operations or that both the actors rely on a common software provider, as exemplified by Russian military intelligence agencies’ use of tools supplied by a Moscow-based IT contractor named NTC Vulkan.
The researchers concluded that “there exists a form of deliberate cooperation between Tomiris and Turla.”
