September 20, 2020

Check Point & Intezer publish a report about Russia’s APT Ecosystem

2 min read

Two security companies, Check Point and Intezer Labs, co-authored a report shows that hacker organizations funded by the Russian government rarely share code with each other. If they share code, they are usually internal code managed by the same intelligence agency.

Russia's APT Ecosystem

The two companies studied nearly 2,000 malware samples from Russian government-funded hacking organizations. Researchers have investigated the relationship between these malware samples and found that 22,000 connections and 3.85 million codes were shared between malware. The conclusion of this vast research effort is that people often find that Russian APTs do not usually share code with each other.

Below is the highlight report:

  • This research is the first and the most comprehensive of its kind.
    • For the first time, thousands of samples were gathered, classified, and analyzed in order to map connections between different cyber espionage organizations of a superpower country.
  • In most cases, the Russian actors do not share code with one another.
    • While each actor does reuse its code in different operations and between different malware families, there is no single tool, library or framework that is shared between different actors.
  • Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks. Knowing that a lot of these toolkits serve the same purpose, it is possible to spot redundancy in this parallel activity.
  • These findings may suggest that Russia is investing a lot of effort into its operational security.
    • By avoiding different organizations re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations.
  • We were able to verify previously reported connections between different families, supporting these connections with code similarity analysis as evidence.
  • We are releasing several tools to be used by the research community.
    • An interactive map of connections between dozens of Russian APT families and their components.
    • A signature-based tool to scan a host or a file against the most commonly re-used pieces of code leveraged by the Russian APTs.