RSAC, Threat Management

Tomoris links to APT behind SolarWinds attack put to rest

SolarWinds headquarters

SAN FRANCISCO — Links between threat group Tomiris and the advanced persistent threat (APT) group Nobelium, believed behind the notorious SolarWinds attack, are going cold. Research spotlighting new malicious campaigns by Tomiris now lead experts to believe that the two are not linked.

The insights come as a relief to those worried that we may not have heard the last from Nobelium (aka DarkHalo/APT29), the APT behind the sprawling SolarWinds supply chain attacks of 2020. In 2021, researchers at Kaspersky reported that Tomiris threat actors were using malware dubbed Sunshuttle, which had links to Nobelium and another threat group name Trula. Subsequent researcher linked the three APTs (Tomiris, Trula and Nobelium) primarily via the use of the malware.

“While our initial blog post introducing Tomiris noted similarities with malware used in the SolarWinds incident, we continued to track the two sets of activity separately,” according to a Kaspersky report released at the RSA Conference on Monday.

A fresh analysis of recent APT attacks by Tomiris in Central Asia by Kaspersky revealed the APT has been deploying KopiLuwak and TunnusSched malware toolkits. Their findings complimented previous research.

“On January 5, 2023, Mandiant released a blog post describing attacks against Ukrainian entities that they attributed to Turla,” Kaspersky wrote. While Mandiant’s analysis of KopiLuwak and TunnusSched led them to link Tomiris’ activity to Turla, Kaspersky believes the data culled from this latest campaign suggests Tomiris has no direct ties to Turla.

Click here for all of SC Media's coverage from the RSA Conference 2023

“What makes the most recent Tomiris operations notable is that they appeared to leverage KopiLuwak and TunnusSched malware, which were previously connected to Turla. However, despite sharing this toolkit, Kaspersky’s latest research explains that Turla and Tomiris are very likely separate actors that could be exchanging tradecraft,” Kaspersky wrote.

Similarities between Tomiris and Trula include they are both Russian-speaking and they have both used crimeware called KopiLuwak. What sets them apart is Tomiris’ lack of stealth, targeting and tradecraft are “significantly” at odds with Trula. Campaigns and tools originally linked to Turla may need to be reevaluated, Kaspersky said.

“Our research shows that the use of KopiLuwak or TunnusSched is now insufficient to link cyberattacks to Turla,” said Pierre Delcher, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). “To the best of our knowledge, this toolset is currently leveraged by Tomiris, which we strongly believe is distinct from Turla — although both actors likely cooperated at some point.”

New Tomiris campaigns

Kaspersky says recent campaigns have been ongoing through 2021 and 2023. The Tomiris APT is focused on intelligence gathering primarily in Central Asia, but also Southeast Asia and the Middle East.

“Tomiris is a very agile and determined actor, open to experimentation — for instance with delivery methods (DNS hijacking) or command and control (C2) channels (Telegram),” Kaspersky wrote.

Toolsets used by the threat actors include downloaders, backdoors and file stealing tools to exfiltrate documents to the C2. Malware leveraged include JLOGRAB (file stealer), JLORAT (backdoor) and Tomiris .NET (downloader). Toolsets KopiLuwak and TunnusSched, also used in recent campaigns, have links to APT group Turla.

“Telemiris is used as a first-stage implant that operators use to deploy other tools such as Roopy, JLORAT, or even the legitimate WinSCP binary, to further exfiltrate files,” Kaspersky wrote.

In its post, Kaspersky concluded by acknowledging APT threat research can often be a moving target.

“In the grander scheme of things, this investigation reveals the pitfalls that the information security industry faces when working on cyberattacks. We rely on a knowledge pool generously shared among all participants, yet information decays: what is true today may turn out to be wrong tomorrow. Discovering new, reliable data isn’t enough; existing assumptions also need to be substantiated — which can only happen when vendors publish data. In that spirit, we kindly thank Mandiant for the research they published.”

Tom Spring, Editorial Director

Tom Spring is Editorial Director for SC Media and is based in Boston, MA. For two decades he has worked at national publications in the leadership roles of publisher at Threatpost, executive news editor PCWorld/Macworld and technical editor at CRN. He is a seasoned cybersecurity reporter, editor and storyteller that aims always for truth and clarity.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.