Tangled Up: 'Tomiris' APT Uses Turla Malware, Confusing Researchers

Certain campaigns previously connected to the Russian advanced persistent threat (APT) Turla were actually conducted by what appears to be an entirely separate group researchers have named "Tomiris."

Turla (aka Snake, Venomous Bear, or Ourobouros) is a notorious threat actor with ties to the Russian government. Over the years it has utilized zero-days, legitimate software, and other means to deploy backdoors in systems belonging to militaries and governments, diplomatic entities, and technology and research organizations. In one case, it was even linked, through its Kazuar backdoor, to the SolarWinds breach.

Not everything is Turla, though. In a new blog post, researchers from Kaspersky have published evidence that certain attacks previously correlated with Turla were carried out by Tomiris, an entirely different group with different tactics, techniques, and procedures (TTPs) and affiliations.

"We strongly believe Tomiris is separate," says Pierre Delcher, senior security researcher at Kaspersky's GReAT. "It's not the same targeting, not the same tools, not the same sophistication as Turla."

Separating Turla and Tomiris

Attribution in cyberspace is difficult. "Highly skilled actors use techniques that mask their origins, render themselves anonymous, or even misattribute themselves with false flags to other threat groups to throw researchers off the track," explains Adam Flatley, former director of operations at the National Security Agency and VP of intelligence at [Redacted]. "Often we can only rely on a threat actor's operational security mistakes to find leads on their true identities."

Tomiris is a case in point. Kaspersky began tracking what now appears to have been Tomiris activity three years ago, in a DNS hijacking campaign against a Commonwealth of Independent States (CIS) government. The culprits' hallmarks appeared to be a mix of Russian APT soup. The Tomiris backdoor was discovered on networks alongside Turla's Kazuar backdoor, which itself had parallels to the Sunburst malware used in SolarWinds' breach.

Yet the details connecting Tomiris and Turla never quite lined up. "The implants they deployed were ... well, they sounded off, compared to what we knew about Turla," Delcher says. "So really, there was basically nothing in common, and even the targets were actually not fitting what we knew of past Turla interests."

Targeting is a major clue. "Tomiris is very focused on government organizations in the CIS, including the Russian Federation," Delcher explains, "whereas in the cybersecurity scene, some vendors associate Turla as a Russian-backed actor. That wouldn't make a lot of sense, if a Russian-sponsored actor targeted the Russian Federation."

As recently as this year, Mandiant published research about a Turla campaign in which it admitted, at one point, that there were "some elements of this campaign that appear to be a departure from historical Turla operations." The Kaspersky researchers have, with "medium confidence," assigned these findings to Tomiris operations.

Connecting Turla and Tomiris

All this isn't to say there's no connection at all between Tomiris and Turla.

In attacks between 2021 and 2023, Tomiris made use of KopiLuwak and TunnusSched — two of Turla's malicious tools. Because they had Turla's goods, Delcher says, "we strongly believe they might have been cooperating at some point, or they might still be cooperating right now."

Exactly how the groups connect is up for grabs. "They could be running an operation together," Delcher speculates, "or they could rely on a similar supply chain. They could have, for example, asked an independent developer to develop a backdoor, and the independent developer provided it to both Turla and Tomiris."

A more definitive answer will be hard to come by. "The only way to reliably and consistently get accurate attribution," Flatley bemoans, "is to use computer network exploitation techniques that are only legally allowed for government agencies to employ."

Why This Matters to Businesses

Distinguishing between threat actors isn't simply an educational exercise, Delcher says. It can help organizations better defend themselves.

For example, an organization affected by or otherwise worried about Turla might see the Kazuar malware and assume it's the work of that group.

"So, you grab all of the Turla IoCs, the technical intelligence, and address it with that assumption," Delcher says. "Of course, this is misguided because if they are not the same actors they won't use the exact same techniques, or the same implants. From the defender's perspective, you don't want to end up confused."

Diligent defenders will do well to pay attention to the subtle differences between groups, but certain principles apply across APTs.

"Elite threat actors will still take the easy way in if it exists, so reducing attack surface with things such as aggressive patch management and implementing MFA on every account possible still goes a long way," Flatley says. Prevention isn't enough against groups like this, though, so advanced detection capabilities and a plan for the worst case scenario are also necessary. "Visibility, married with a well-constructed and regularly practiced incident response plan, can greatly reduce the risk associated with threat actors of all levels."