A report, released PRODAFT on April 27 this year, explores an operational environment which is owned by Nomadic Octopus espionage group that has reportedly been active since 2020.
“Nomadic Octopus’ Paperbug Campaign”, in particular, notes that the group specifically targets Tajikistan’s high ranking government officials, telecommunication services, and public service infrastructures.
The report says that according to unearthed victim data, Tajikistan is the ultimate target of this operation. The target list includes but is not limited to Tajikistan’s government officials, public service infrastructures and the telecom provider.
According to the frequency of screenshots being taken by Nomadic Octopus especially while targeted victims were writing e-mails and creating new contracts of their customers, the group spied on devices and took their notes diligently.
Operation PaperBug aligns with the common trend of attacking into Central Asia government infrastructure that recently became more prominent. This trend reportedly can also be seen in other Russian speaking state-sponsored threat actors like Sofacy. They have also been observed attacking telecommunication infrastructure in the Central Asian region, including Tajikistan. This indicates that there might be some ties between the main subject of this report Nomadic Octopus and other prominent espionage groups like Sofacy
The report has published names of some high-ranking Tajik state officials who might have been the victims of a hacker attack. Among them are the then Minister of Transport Khudoyor Khduoyorzoda, the former Deputy Governor of Khatlon Province (currently Deputy Mayor of Dushanbe) Amirkhon Qurbonzoda, deputy Interior Minister Saidnakhsha Rahmonzoda, Head of the CIS Department at President’s Executive Office Andulaziz Sharifi, former Head of the Department for Agricultrue and Environmental Protection at President’s Executive Office (currently Head of Fayzobod District) Bobisho Kholzoda.
The Group interest reportedly also covers OT devices; there are four gas stations and one cash register. The Group also targets telecom companies. The aspect setting this operation apart from other operation conducted in Central Asia is the method it uses to compromise its victims. The starting point of this operation is the compromisation of the networks of a Tajikistan based telecom company, according to the report.
Virus Bulletin says Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2015. Nomadic Octopus is a new APT (advanced persistent threat), which has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants. According to Virus Bulletin, the group has been active since at least 2015. The main goal of Nomadic Octopus appears to be cyber espionage against high-value targets, including diplomatic missions in the region. However, besides these high-value targets, it reportedly also targets a local political blogger, which may suggest that Nomadic Octopus also conducts cyber surveillance operations. Nomadic Octopus performs its activity using unique, custom-made malware.
PRODAFT is a pioneering company in the cyber threat intelligence industry, supporting private and public sectors globally with its solutions. With a mission of preventing breaches before they happen, PRODAFT reduces the time and energy spent on analysis, interpretation, and verification of potential threats. Every day, hundreds of companies from critical sectors use U.S.T.A. SaaS platform to receive actionable insights right from the source. Its mission is reportedly to protect citizens, businesses, and governments from major security threats by providing timely and accurate information. PRODAFT was named one of Europe’s most successful technology initiatives by the Red Herring international media agency.