When Cyber Spies Come Calling

In September 2020 a Russian-speaking cyber espionage gang called Nomadic Octopus singled out Tajikistan’s government and its public service infrastructure. The point of initial access was through the Central Asian country’s national telephone operator, according to Prodaft, the cyber threat intelligence company that discovered the breach.

While it is still not clear how the gang broke into the operator, once it got inside it began to perform reconnaissance on the phone network and its customers and affiliates.

Using stolen client contracts and credentials, weak network security configurations and exploitation of not up-to-date software and services, the gang leveraged this initial entry point to hack the devices of government officials and business executives belonging to at least 18 ultimate targets.

The insidious operation, code-named Paperbug, allowed the gang to spy on targets for almost two years. Back doors it installed on victims’ devices allowed Nomadic Octopus to not only watch victims write emails and create new contracts for customers but capture the information by secretly taking screenshots, running commands remotely and downloading and uploading files.

“Once they have a back door, they pretty much own the device,” says Yigit Colakoglu, a Prodaft cyber threat analyst that helped detect the operation and detail it in a case study released April 27.

The Paperbug operation is a reminder that espionage operations can easily fly under the radar and sensitive information can be leaked without the victims even realizing, he says. It is difficult to calculate the damage of the Paperbug campaign- which lasted until June 2022- because it is unclear what the group’s motive was and what they were searching, he says. “We know many files were stolen and screenshots of emails and identifying information captured,” says Colakoglu. “The victims were high profile so I would say important information was likely stolen.”

The most common targets of cyber espionage include large corporations, government agencies, academic institutions, think tanks or other organizations that possess valuable IP and technical data that can create a competitive advantage for another organization or government. Targeted campaigns can also be waged against individuals, such as prominent political leaders and government officials, business executives and celebrities.

These attacks can be motivated by monetary gain or deployed in conjunction with cyber terrorism or cyber warfare. The impact of cyber espionage, particularly when it is part of a broader military or political campaign, can lead to disruption of public services and infrastructure, as well as loss of life. “It is not among the top five threats [in cybersecurity] but in terms of risk to governments and society it is a big threat,” says Colakoglu.

Cloak And Dagger

Not much is known about Nomadic Octopus other than the fact that its members are Russian speaking. The group uses public tools and generic techniques as a “cloak”, says Colakoglu, making detection and identification more difficult. During operation Paperbug hacking tools were placed into commonly unchecked directories. Since most of these require firewall permissions or additional privileges the cyber spies give the tools inconspicuous names such as ChromeUpdate.exe[16] so that victims will accept the requests. But they sometimes slipped up and forgot to change the name of the executable files, causing pop-ups to appear and some victims to suspect there was something wrong. Paperbug was shut down but Nomadic Ocotopus and other cyber spy groups such as Sofacy (also known as Fancy Bear) are still active in Central Asia and elsewhere. It’s a global issue and doesn’t seem to be slowing down, he says.

Since April 2020, cyber espionage targeting coronavirus research has been reported against laboratories in the U.S., UK, Spanish, South Korean, Japanese and Australia. This activity was conducted by Russian, Iranian, Chinese, and North Korean actors, according to CrowdStrike, a cybersecurity company specializing in endpoint protection that was named a World Economic Forum Technology Pioneer in 2015.

One cyber espionage breach discovered by CrowdStrike in the second half of 2020 involved a targeted intrusion into an academic institution developing COVID-19 testing capabilities. The malicious activity was attributed to Chinese hackers, which gained initial access by way of a successful SQL injection attack against a vulnerable Web server. Once inside the cyber spies compiled and launched a Web shell – malicious scripts that enable threat actors to compromise Web servers and launch additional attacks – that was used to perform various malicious activities largely focused on information gathering and collection.

In 2022, CrowdStrike said Chinese espionage gangs were observed targeting nearly all 39 global industry sectors and 20 geographic regions it tracks.

According to CrowdStrike cyber spies most commonly attempt to access the following assets:

  • IP, such as product formulas or blueprints
  • Salaries, bonus structures and other sensitive information regarding organizational finances and expenditures
  • Client or customer lists and payment structures
  • Business goals, strategic plans and marketing tactics
  • Political strategies, affiliations and communications
  • Military intelligence
  • Academic research data

Many of the most advanced cyber espionage campaigns are coordinated by well-funded, state-based groups. Prominent nation-state actors and well-known cyber espionage groups include:

Pioneer Kitten, an Iran-based hacking group that has been active since at least 2017 and has a suspected nexus to the Iranian government. In late July 2020, an actor  associated with the group was spotted on an underground forum advertiseing that he was selling access to compromised networks “That activity is suggestive of a potential attempt at revenue stream diversification on the part of the group, alongside its targeted intrusions in support of the Iranian government,” according to CrowdStrike.

Fancy Bear (also known as APT28, Sofacy) uses phishing messages and spoofed websites that closely resemble legitimate ones in order to gain access to conventional computers and mobile devices. Operating since at least 2008, Crowdstrike says this Russia-based attacker has targeted U.S. political organizations, European military organizations and victims in multiple sectors across the globe.

Goblin Panda (also known as APT27) was first observed in September 2013 when CrowdStrike discovered indicators of attack in the network of a technology company that operates in multiple sectors. This China-based cyber espionage group uses two Microsoft Word exploit documents with training-related themes to drop malicious files when opened. Targets are mostly in the defense, energy and government sectors in Southeast Asia, particularly Vietnam.

Helix Kitten (also known as APT 34) has been active since at least late 2015 and is likely Iran-based. It targets organizations in aerospace, energy, financial, government, hospitality and telecommunications and uses well-researched and structured spear-phishing messages that are highly relevant to targeted personnel. It commonly delivers a custom Powershell implant through macro-enabled Microsoft Office documents.

En Garde

 So how do organizations stay safe? One of the crucial aspects of ensuring protection is to configure network security configurations correctly, says Prodaft. This includes setting up firewalls, encryption protocols, and other security measures to ensure that unauthorized individuals cannot gain network access and regularly update security systems to protect against new threats.

Training employees about cybersecurity topics and how to identify and respond to threats is key, says Prodaft, as cybersecurity threats can come in many forms, including phishing attacks and other social engineering tactics.

Older versions of software and operating systems are often more susceptible to cybersecurity attacks. Updating to the latest version ensures that you have access to the latest security patches, minimizing the risk of an attack, says the cyber threat intelligence company.

One of the most common ways that attackers gain access to a network is through weak or easily guessable credentials so it is important to make passwords complex and difficult to guess. Use two-factor authentication whenever possible to add an extra layer of security to your network, says Prodaft. It also advises that extensions of downloaded files be double checked, especially on Windows devices, which often hide the true extension of a file.

As supply chain attacks are happening more frequently organizations need to know which vendors’ products they are using and check any updates before applying them, says Colakoglu.

Organizations operating critical infrastructure need to follow all of these described precautions but be even more rigorous in applying them, he says. As Paperbug demonstrated once cyber spies gain entry it is all too easy for groups like Nomadic Octopus to extend their tentacles.

This article is content that would normally only be available to subscribers. Sign up for a four-week free trial to see what you have been missing.

To access more of The Innovator’s Cybersecurity stories click here.




About the author

Jennifer L. Schenker

Jennifer L. Schenker, an award-winning journalist, has been covering the global tech industry from Europe since 1985, working full-time, at various points in her career for the Wall Street Journal Europe, Time Magazine, International Herald Tribune, Red Herring and BusinessWeek. She is currently the editor-in-chief of The Innovator, an English-language global publication about the digital transformation of business. Jennifer was voted one of the 50 most inspiring women in technology in Europe in 2015 and 2016 and was named by Forbes Magazine in 2018 as one of the 30 women leaders disrupting tech in France. She has been a World Economic Forum Tech Pioneers judge for 20 years. She lives in Paris and has dual U.S. and French citizenship.