Nomadic Octopus

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
Nomadic Octopus, a suspected Russian Advanced Persistent Threat (APT) group, has been engaged in a cyber-espionage campaign known as Paperbug since 2020. The group infiltrated a Tajikistani carrier to spy on government officials and public service infrastructures, compromising government networks, individual computers, and operational technology devices like gas station systems. Swiss cybersecurity company Prodaft's report indicates that the initial step towards compromising other victims was likely the infiltration of an unknown network, with the exact timing and method of infiltration remaining uncertain. Nomadic Octopus has been consistently spying on the carrier since November 2020, taking screenshots particularly when targeted victims were writing emails or creating new contracts for their customers. The threat actor used multiple servers as Command and Control (C2) for its backdoors and tools in the Paperbug campaign. ESET, a cybersecurity firm, has identified only one type of malware used by Nomadic Octopus and found evidence that the group has been active since at least 2015, indicating a high level of persistence. Anton Cherepanov, a senior malware researcher at ESET, confirmed that the hackers may speak Russian based on the spear-phishing emails they send out and the use of Russian malware filenames. Despite the ongoing operations of Nomadic Octopus, the cybersecurity industry continues to work diligently to understand and combat this threat. ESET detailed the threat actor’s operations at the Virus Bulletin conference earlier this month, providing valuable insights into the group's tactics, techniques, and procedures. As the threat landscape continues to evolve, understanding the modus operandi of groups like Nomadic Octopus is crucial in developing effective defense strategies and maintaining cybersecurity resilience.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
DustSquad
2
DustSquad, also known as Nomadic Octopus, is a notable threat actor that has been implicated in several cyber-espionage campaigns. Throughout 2018, DustSquad, along with other actors like IndigoZebra and Sofacy, targeted political entities in Central Asia using the Octopus malware. This was revealed
Paperbug
2
Paperbug is a cyber-espionage campaign executed by a suspected Russian threat actor known as Nomadic Octopus, also referred to as DustSquad. The Swiss cybersecurity company Prodaft has released a report detailing the actions of this group, outlining their tactics, techniques, and procedures (TTPs).
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
russian
Russia
Phishing
Espionage
Malware
Apt
exploitation
Government
Exploit
Infiltration
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OctopusUnspecified
3
Octopus is a malware, a harmful program designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FrozenlakeUnspecified
1
Frozenlake, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor believed to be sponsored by the Russian military. The group has been involved in numerous cyber-attacks, primarily targeting Ukraine's energy sector. Their modus operandi includes exploiting vuln
SofacyUnspecified
1
Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase e
APT28Unspecified
1
APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor group that has been active since 2007. This Russia-linked entity targets governments, militaries, and security organizations worldwide with malicious intent. In recent years, the group has
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Nomadic Octopus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Russia-Linked Hackers Target Diplomatic Entities in Central Asia
CERT-EU
a year ago
Russian APT Hacked Tajikistani Carrier to Spy on Government, Public Services | IT Security News
CERT-EU
a year ago
Cyber security week in review: April 28, 2023
CERT-EU
a year ago
Paperbug Attack: New Politically-Motivated Surveillance Campaign in Tajikistan
CERT-EU
a year ago
Russian APT Hacked Tajikistani Carrier to Spy on Government, Public Services
Securityaffairs
a year ago
Russian APT Nomadic Octopus hacked Tajikistani carrier
CERT-EU
a year ago
Новая группировка Nomadic Octopus шпионит за министрами Таджикистана