Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/24/2019
02:00 PM
50%
50%

Russia Chooses Resiliency Over Efficiency in Cyber Ops

New analysis of the software used by espionage groups linked to Russia finds little overlap in their development, suggesting that the groups are siloed.

Russian cyber espionage groups surprisingly do not share much code in their development, suggesting that the nation's various attack groups are isolated from one other, according to new analysis by security firm Check Point Software Technologies and machine-learning startup Intezer.

The companies analyzed more than 2,000 code samples, reverse engineering them to remove common open-source code, and then comparing the non-public code samples — the "genes," in Intezer's parlance — to determine shared roots of the software. A map created from the data shows shared code within groups, but only a few connections between software thought to be used by different groups.

"We were surprised to see these notable disconnections between different actors," says Itay Cohen, a researcher and reverse engineer with Check Point. "This shows that Russia is willing to invest a lot of money in these operations to make sure that ... if one group's malware is detected, and a defense created, it won't cause problems for other groups."

The report is the perhaps the first broad analysis of potential code similarities between the various tools used by groups thought to be connected to the Russian government. Check Point and Intezer focused on a dozen different groups, including the major Turla, Sofacy, and Black Energy espionage groups, finding that only in a few cases did the groups appear to share code. 

The analysis discovered 22,000 connections between the samples, including almost 4 million shared code samples. The analysis grouped the samples into 200 different modules and 60 different families, the report stated.

The conclusion: The coders behind the Russian advanced persistant threat (APT) infrastructure are largely distributed and unconnected to each other. 

"Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks," the researchers stated. "Knowing that a lot of these toolkits serve the same purpose, it is possible to spot redundancy in this parallel activity."

The interactive map created by the company illustrates the commonality between the different groups. Black Energy has almost a dozen components that share a great deal of code, creating a tight group on the visualization of the data.

"Each edge represents similar code between two families: it could be a lot of code, or just one function," Cohen says. "We released this information open source, so other researchers can investigate the connections themselves."

The companies originally thought that the groups would have more shared code because that would be more efficient and less costly. Instead, each of the twelve groups seem to be independent of each other, which means that the nation is likely paying significant development costs, says Cohen. 

"Different people worked on the same functionality for different development efforts," he says. "So it obviously cost a lot of money, because there is redundant code being used."

Along with MITRE's Att&ck framework, the effort is one of the few to try to make sense of the landscape of APTs, rather than mostly analyzing specific threats. To date, security firms typically focus on reverse engineering the tools and techniques used in major campaigns, such as whether Fancy Bear's tools have become more complex or more simple, or the amount of profit North Korea has made from its cyber operations.

Too Many Names

In the report, Check Point and Intezer's researchers criticized the security industry for the "frustrating" failure to settle on a common naming standard for advanced persistent threats. The group known as Fancy Bear by Crowdstrike, for example, is called APT28 by FireEye, Sofacy by Kaspersky Lab, and Pawn Storm and TG-4127 by Secureworks. Without a common lexicon for such threats, any analysis has to connect all the disparate names for the same threats, the researchers stressed.

"Every Russian APT actor and every malware family have more than a few names given to them by different vendors, researchers, and intelligence institutions," the report stated. "Some names will be used by different vendors to describe different families; some malware families would be described with different names by the same vendor; other malware families simply do not have a clear name."

The report relies heavily on other security firms' and threat researchers' attribution of code and modules to specific groups. While Check Point and Intezer connected code based on their similarities, the attribution of that code came from other groups. The older BlackEnergy and more recent Energetic Bear, for example, both had a matching sample of code that hides the attackers' tracks by deleting the tool, but that code likely came from a public source, the report stated.

"Despite the fact that self-delete functions are pretty common in malware, it is rare to see an exact 1:1 match in the binary level, which matches only for these two malware families out of all the malware families indexed," the report stated.

As part of the research, the companies released a tool - dubbed the Russian APT Detector - that uses the code signatures to detect programs involved in Russian-attributed espionage.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The 20 Worst Metrics in Cybersecurity

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...