Russian cyber espionage groups surprisingly do not share much code in their development, suggesting that the nation's various attack groups are isolated from one other, according to new analysis by security firm Check Point Software Technologies and machine-learning startup Intezer.
The companies analyzed more than 2,000 code samples, reverse engineering them to remove common open-source code, and then comparing the non-public code samples — the "genes," in Intezer's parlance — to determine shared roots of the software. A map created from the data shows shared code within groups, but only a few connections between software thought to be used by different groups.
"We were surprised to see these notable disconnections between different actors," says Itay Cohen, a researcher and reverse engineer with Check Point. "This shows that Russia is willing to invest a lot of money in these operations to make sure that ... if one group's malware is detected, and a defense created, it won't cause problems for other groups."
The report is the perhaps the first broad analysis of potential code similarities between the various tools used by groups thought to be connected to the Russian government. Check Point and Intezer focused on a dozen different groups, including the major Turla, Sofacy, and Black Energy espionage groups, finding that only in a few cases did the groups appear to share code.
The analysis discovered 22,000 connections between the samples, including almost 4 million shared code samples. The analysis grouped the samples into 200 different modules and 60 different families, the report stated.
The conclusion: The coders behind the Russian advanced persistant threat (APT) infrastructure are largely distributed and unconnected to each other.
"Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks," the researchers stated. "Knowing that a lot of these toolkits serve the same purpose, it is possible to spot redundancy in this parallel activity."
The interactive map created by the company illustrates the commonality between the different groups. Black Energy has almost a dozen components that share a great deal of code, creating a tight group on the visualization of the data.
"Each edge represents similar code between two families: it could be a lot of code, or just one function," Cohen says. "We released this information open source, so other researchers can investigate the connections themselves."
The companies originally thought that the groups would have more shared code because that would be more efficient and less costly. Instead, each of the twelve groups seem to be independent of each other, which means that the nation is likely paying significant development costs, says Cohen.
"Different people worked on the same functionality for different development efforts," he says. "So it obviously cost a lot of money, because there is redundant code being used."
Along with MITRE's Att&ck framework, the effort is one of the few to try to make sense of the landscape of APTs, rather than mostly analyzing specific threats. To date, security firms typically focus on reverse engineering the tools and techniques used in major campaigns, such as whether Fancy Bear's tools have become more complex or more simple, or the amount of profit North Korea has made from its cyber operations.
Too Many Names
In the report, Check Point and Intezer's researchers criticized the security industry for the "frustrating" failure to settle on a common naming standard for advanced persistent threats. The group known as Fancy Bear by Crowdstrike, for example, is called APT28 by FireEye, Sofacy by Kaspersky Lab, and Pawn Storm and TG-4127 by Secureworks. Without a common lexicon for such threats, any analysis has to connect all the disparate names for the same threats, the researchers stressed.
"Every Russian APT actor and every malware family have more than a few names given to them by different vendors, researchers, and intelligence institutions," the report stated. "Some names will be used by different vendors to describe different families; some malware families would be described with different names by the same vendor; other malware families simply do not have a clear name."
The report relies heavily on other security firms' and threat researchers' attribution of code and modules to specific groups. While Check Point and Intezer connected code based on their similarities, the attribution of that code came from other groups. The older BlackEnergy and more recent Energetic Bear, for example, both had a matching sample of code that hides the attackers' tracks by deleting the tool, but that code likely came from a public source, the report stated.
"Despite the fact that self-delete functions are pretty common in malware, it is rare to see an exact 1:1 match in the binary level, which matches only for these two malware families out of all the malware families indexed," the report stated.
As part of the research, the companies released a tool - dubbed the Russian APT Detector - that uses the code signatures to detect programs involved in Russian-attributed espionage.