Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/24/2019
02:00 PM
50%
50%

Russia Chooses Resiliency Over Efficiency in Cyber Ops

New analysis of the software used by espionage groups linked to Russia finds little overlap in their development, suggesting that the groups are siloed.

Russian cyber espionage groups surprisingly do not share much code in their development, suggesting that the nation's various attack groups are isolated from one other, according to new analysis by security firm Check Point Software Technologies and machine-learning startup Intezer.

The companies analyzed more than 2,000 code samples, reverse engineering them to remove common open-source code, and then comparing the non-public code samples — the "genes," in Intezer's parlance — to determine shared roots of the software. A map created from the data shows shared code within groups, but only a few connections between software thought to be used by different groups.

"We were surprised to see these notable disconnections between different actors," says Itay Cohen, a researcher and reverse engineer with Check Point. "This shows that Russia is willing to invest a lot of money in these operations to make sure that ... if one group's malware is detected, and a defense created, it won't cause problems for other groups."

The report is the perhaps the first broad analysis of potential code similarities between the various tools used by groups thought to be connected to the Russian government. Check Point and Intezer focused on a dozen different groups, including the major Turla, Sofacy, and Black Energy espionage groups, finding that only in a few cases did the groups appear to share code. 

The analysis discovered 22,000 connections between the samples, including almost 4 million shared code samples. The analysis grouped the samples into 200 different modules and 60 different families, the report stated.

The conclusion: The coders behind the Russian advanced persistant threat (APT) infrastructure are largely distributed and unconnected to each other. 

"Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks," the researchers stated. "Knowing that a lot of these toolkits serve the same purpose, it is possible to spot redundancy in this parallel activity."

The interactive map created by the company illustrates the commonality between the different groups. Black Energy has almost a dozen components that share a great deal of code, creating a tight group on the visualization of the data.

"Each edge represents similar code between two families: it could be a lot of code, or just one function," Cohen says. "We released this information open source, so other researchers can investigate the connections themselves."

The companies originally thought that the groups would have more shared code because that would be more efficient and less costly. Instead, each of the twelve groups seem to be independent of each other, which means that the nation is likely paying significant development costs, says Cohen. 

"Different people worked on the same functionality for different development efforts," he says. "So it obviously cost a lot of money, because there is redundant code being used."

Along with MITRE's Att&ck framework, the effort is one of the few to try to make sense of the landscape of APTs, rather than mostly analyzing specific threats. To date, security firms typically focus on reverse engineering the tools and techniques used in major campaigns, such as whether Fancy Bear's tools have become more complex or more simple, or the amount of profit North Korea has made from its cyber operations.

Too Many Names

In the report, Check Point and Intezer's researchers criticized the security industry for the "frustrating" failure to settle on a common naming standard for advanced persistent threats. The group known as Fancy Bear by Crowdstrike, for example, is called APT28 by FireEye, Sofacy by Kaspersky Lab, and Pawn Storm and TG-4127 by Secureworks. Without a common lexicon for such threats, any analysis has to connect all the disparate names for the same threats, the researchers stressed.

"Every Russian APT actor and every malware family have more than a few names given to them by different vendors, researchers, and intelligence institutions," the report stated. "Some names will be used by different vendors to describe different families; some malware families would be described with different names by the same vendor; other malware families simply do not have a clear name."

The report relies heavily on other security firms' and threat researchers' attribution of code and modules to specific groups. While Check Point and Intezer connected code based on their similarities, the attribution of that code came from other groups. The older BlackEnergy and more recent Energetic Bear, for example, both had a matching sample of code that hides the attackers' tracks by deleting the tool, but that code likely came from a public source, the report stated.

"Despite the fact that self-delete functions are pretty common in malware, it is rare to see an exact 1:1 match in the binary level, which matches only for these two malware families out of all the malware families indexed," the report stated.

As part of the research, the companies released a tool - dubbed the Russian APT Detector - that uses the code signatures to detect programs involved in Russian-attributed espionage.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The 20 Worst Metrics in Cybersecurity

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.