A study of published intelligence on three major malware families used in Russia's cyber espionage operations shows a highly coordinated, targeted, and stealthy strategy.
Researchers at Recorded Future studied Uroburous, Energetic Bear, and APT28, three main malware families out of Russia being used for cyberspying. In a report scheduled for publication today, RecordedFuture analyzed intelligence on the operations from public reports by various security vendor research teams and found, among other things, that the three attack groups don't operate in a vacuum. For one thing, they appear to avoid hitting the same targets: "There's very little cohabitation of the [three] malware families," says Christopher Ahlberg, CEO and co-founder of Recorded Future. "It seems to indicate some level of tactical and organizational coordination."
Russia mostly has been known for its notorious cybercrime underground, but its cyber espionage activity over the past year has come into sharper focus after a wave of publicized targeted cyberspying campaigns. China, meanwhile, has been spotted operating pervasive cyber espionage to pilfer intellectual property.
"China has economic objectives," Ahlberg says. "Russia wants to show the world they are strong politically. Energy is incredibly important to them [as well]… They also want to sell gas to Western Europe" and oil to other nations, he says.
"There's more of a focus on commodity markets and geopolitical" interests, he notes.
Uroburous, Energetic Bear, and APT28 use their own attack vectors, exploits and vulnerabilities, and toolkits. Each also appears to have a different objective, according to Recorded Future's analysis.
Uroburous -- the name used by G Data Software AG -- is also known as Epic Turla by Kaspersky Lab, Snake by BAE Systems, and SnakeNet, and has been around since at least 2008. Its main targets: governments, embassies, defense industry, research and education, and the pharmaceutical industry. The initial attack vector is either spear phishing emails or watering hole attacks via phony Flash player updates.
The spear phish typically comes with an attachment that includes an executable RAR SFX (self-extracting archive) that contains the malware that is then extracted and installed on the victim's machine.
Energetic Bear, the name CrowdStrike has given the attack group, is also known as Crouching Yeti by Kaspersky, Koala Team by iSIGHT Partners, and Dragonfly by Symantec. This group focuses on aviation, defense, energy, industrial controls systems (ICS), and petroleum pipeline operators. Spear phishing and watering hole attacks are also its initial vectors.
Its main goal is to remain inside its target's network for the long-term. "This may be the work of a military group pre-positioning itself for a computer network attack as a tool to fulfill military or political goals. Parallels can be drawn between Energetic Bear and Stuxnet in terms of its victimology and focus on ICS equipment," Recorded Future says in its report.
APT28, as it's known by FireEye/Mandiant, is also called Tsar Team by iSIGHT Partners, Sednit by Eset, Fancy Bear by CrowdStrike, and Operation Pawn Storm by Trend Micro. This attack group goes after NATO, Eastern European government and military agencies, defense, and Russian adversaries, the report notes.
FireEye/Mandiant late last month identified the attackers as Russian government-backed. The attackers infamously use targeted phishing attacks against Outlook Web Access users via typo-squatted domains associated with the defense industry.
According to the Recorded Future report:
From espionage, cyber warfare, and tracking regional geopolitical foes, Russia continues to build a cyber capability with the potential to impact organizations worldwide. The scope of Russian cyber operations has only recently been discovered by cybersecurity firms. In contrast, Chinese cyber operations have been known for over a decade due to their sloppy operational procedures and direct attribution. Russia however, continues to lead the way in stealthier malware and operations making their efforts harder to identify and analyze. Although these intrusions have been identified and are widely attributed to Russia’s government, there are several others whose attribution to the Russian Federation is less clear like MiniDuke, CosmicDuke, BlackEnergy Bot, SandWorm, and Quedagh.