SAN FRANCISCO — Links between threat group Tomiris and the advanced persistent threat (APT) group Nobelium, believed behind the notorious SolarWinds attack, are going cold. Research spotlighting new malicious campaigns by Tomiris now lead experts to believe that the two are not linked.The insights come as a relief to those worried that we may not have heard the last from Nobelium (aka DarkHalo/APT29), the APT behind the sprawling SolarWinds supply chain attacks of 2020. In 2021, researchers at Kaspersky reported that Tomiris threat actors were using malware dubbed Sunshuttle, which had links to Nobelium and another threat group name Trula. Subsequent researcher linked the three APTs (Tomiris, Trula and Nobelium) primarily via the use of the malware.“While our initial blog post introducing Tomiris noted similarities with malware used in the SolarWinds incident, we continued to track the two sets of activity separately,” according to a Kaspersky report released at the RSA Conference on Monday.A fresh analysis of recent APT attacks by Tomiris in Central Asia by Kaspersky revealed the APT has been deploying KopiLuwak and TunnusSched malware toolkits. Their findings complimented previous research. “On January 5, 2023, Mandiant released a blog post describing attacks against Ukrainian entities that they attributed to Turla,” Kaspersky wrote. While Mandiant’s analysis of KopiLuwak and TunnusSched led them to link Tomiris’ activity to Turla, Kaspersky believes the data culled from this latest campaign suggests Tomiris has no direct ties to Turla.Click here for all of SC Media's coverage from the RSA Conference 2023“What makes the most recent Tomiris operations notable is that they appeared to leverage KopiLuwak and TunnusSched malware, which were previously connected to Turla. However, despite sharing this toolkit, Kaspersky’s latest research explains that Turla and Tomiris are very likely separate actors that could be exchanging tradecraft,” Kaspersky wrote.Similarities between Tomiris and Trula include they are both Russian-speaking and they have both used crimeware called KopiLuwak. What sets them apart is Tomiris’ lack of stealth, targeting and tradecraft are “significantly” at odds with Trula. Campaigns and tools originally linked to Turla may need to be reevaluated, Kaspersky said.“Our research shows that the use of KopiLuwak or TunnusSched is now insufficient to link cyberattacks to Turla,” said Pierre Delcher, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). “To the best of our knowledge, this toolset is currently leveraged by Tomiris, which we strongly believe is distinct from Turla — although both actors likely cooperated at some point.”
RSAC, Threat Management
Tomoris links to APT behind SolarWinds attack put to rest

Research spotlighting new campaigns by Tomiris now lead experts to believe there are no links between the APT and Nobelium. (Suzanne Cordeiro/AFP via Getty Images)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds