A newly released study that looked at 2,000 malware samples attributed to Kremlin-backed hacking groups demonstrates the significant amount of resources Russia has plowed into shielding its cyber espionage operations over the past decade.
The research, jointly carried out by security firms Check Point and Intezer, has found that Russia’s various Advanced Persistent Threat (APT) hacking groups rarely share code between each other, and don’t appear to have ever shared a single tool, software library or framework between different groups.
The findings suggest that Russia is investing a lot of resources into its “operational security”, or OpSec -- a concept that has its roots in the military, designed to protect against an adversary exploiting activity between friendly groups. In the case of Russia’s various APT hacking groups, there's an apparent risk in sharing code and tools that an adversary could learn and use to disrupt one of the peer groups’ activities.
“By avoiding different organizations re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations,” Itay Cohen from Check Point Research and Omri Ben Bassat from Intezer explain.
The Russian intelligence agencies the researchers refer to who share code minimally include the FSB or the Federal Security Service of the Russian Federation; the SVR or the Foreign Intelligence Service of the Russian Federation; and Russia's supreme intelligence unit, the GRU, which is also known as the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation.
What the researchers found was that some groups shared components of code between different teams, suggesting different malware families of the same organization do share some code.
This helps keep costs low through code re-use, using code that was likely tested in real-world operations. The risk they take when sharing code samples is that malware researchers can use shared pieces of code to identify malware that wasn’t previously linked to the same code.
The groups have been blamed on attacks including on Ukraine’s energy grid in 2015, the hack of the Democratic National Committee’s (DNC’s) email server that led to the 2016 election meddling leak, and the hugely costly NotPetya attack in mid-2017 that impacted several global firms, most notably Danish shipping giant Maersk.
While all have been attributed to different arms of the Kremlin’s cyber espionage infrastructure and provide individual examples of activities by different hacking groups, Check Point notes the “bigger picture remains hazy”.
And despite a tendency not to share code, the researchers identified 3.85 million pieces of code that were shared among the 2,000 samples, which the researchers classified into 60 families and 200 modules.
However, the findings also suggest that each Russian ATP group has its own dedicated malware development teams who work in tandem on similar malware toolkits.
The researchers note that this behavior does create higher costs, since malware and tools are produced by different groups who are essentially working towards providing the same functionality for each team. Nonetheless, the Kremlin appears to consider it a worthwhile exercise to protect work from different groups in the event one project is compromised.
The researchers can’t say for certain why different APT groups from Russia don’t share code, but suggest several possible reasons they think are related to avoiding baggage that comes with sharing code.
“By avoiding different organizations re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations, preventing a sensitive house of cards from collapsing,” they write.
“According to this assumption, Russia is willing to invest an enormous amount of money and man-power to write similar code again and again, instead of sharing tools, libraries or frameworks, causing redundancy in this parallel activity. If this is true, this can indicate that Operational Security has a priceless meaning for the Russian actors.
Among the connections the researchers did find between malware samples, they claim to have found an exact match between a 2015 sample of the notorious BlackEnergy malware and a 2017 sample known as Energetic Bear and Dragonfly that both featured a self-delete feature. But they note the source of this feature was publicly available.