The investigation by cybersecurity solutions company Kaspersky shows that while Tomiris deployed malware previously linked to Turla, there was no connection between the two APT groups.
Kaspersky first publicly described Tomiris in September 2021, following the investigation of a DNS hijack against a government organization in the Commonwealth of Independent States (CIS).
However, recent findings of Tomiris’ activities do not match the initial results of the research. According to Kaspersky, “Tomiris is undoubtedly Russian-speaking, but its targeting and tradecrafts are significantly at odds with what has been observed for Turla.” The research also showed that Tomiris’s general approach to intrusion and limited interest in stealth does not match documented Turla tradecraft.
“Our research shows that the use of KopiLuwak or TunnusSched is now insufficient to link cyberattacks to Turla,” Pierre Delcher, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), said in a statement.
KopiLuwak and TunnusSched malware were previously connected to Turla.
In the initial investigation, Kaspersky noted the noted inconclusive similarities with the SolarWinds incident. Researchers continued to track Tomiris as a separate threat actor over several new attack campaigns between 2021 and 2023 and Kaspersky’s telemetry allowed them to shed light on the group’s toolset and its possible connection to Turla.
“To the best of our knowledge, this toolset is currently leveraged by Tomiris, which we strongly believe is distinct from Turla – although both actors likely cooperated at some point,” Delcher explained. “Looking at tactics and malware samples only gets us so far, and we are often reminded that threat actors are subject to organizational and political constraints. This investigation illustrates the limits of technical attribution that we can only overcome through intelligence sharing.”
The threat actor targets government and diplomatic entities in the CIS with the final aim to steal internal documents. The occasional victims discovered in other regions (such as the Middle East or South-East Asia) turn out to be foreign representations of CIS countries, illustrating Tomiris’s narrow focus.
Tomiris goes after its victims using a wide variety of attack vectors: spear-phishing emails with malicious content attached (password-protected archives, malicious documents, weaponized LNKs), DNS hijacking, exploitation of vulnerabilities (specifically ProxyLogon), suspected drive-by downloads and other “creative” methods.
However, despite sharing this toolkit, Kaspersky’s latest research explains that Turla and Tomiris are very likely separate actors that could be exchanging tradecraft.