The Red Square - Mapping the connections inside Russia's APT Ecosystem
2019-10-23, 10:50–11:10, Europe

If the names Turla, Sofacy, and APT29 strike fear into your heart, you are not alone. These are known to be some of the most advanced, sophisticated and notorious APT groups out there -- and not in vain. These Russian-attributed actors are part of a bigger picture in which Russia is one of the strongest powers in the cyberwarfare today. Their advanced tools, unique approaches, and solid infrastructures suggest an enormous and complicated operation that involves different military and government entities inside Russia.

That said, and with all the available information on these groups, there are still some questions to bear in mind: Are the different government entities working alone or are they sharing code and techniques with each other? What artifacts, libraries and code are more likely to be shared between different families and teams of the same actor?

The fog behind these complicated operations made us realize that while we know a lot about single actors, we are short of seeing the bigger picture - a whole ecosystem with actor interaction (or lack thereof) and particular TTPs that can be viewed in a larger scope. We decided to know more and to look at things from a broader perspective. This led us to gather, classify and analyze thousands of Russian APT malware samples in order to find connections - not only between samples, but also between different families and actors.

In this talk, we will describe the process of our research. Namely, we will show how the technologies at our disposal allowed us to take a deep dive into these malware's binary DNA in order to spot the mutual Genes that are shared between Russia's APT families and actors. We will show interesting connections that we found, and present the interactive map we created to visualize this complicated Russian APT ecosystem. We will also release a signature-based tool to detect old and new samples based on the popular mutual Genes we found.


Outline:

  • About us
  • Objectives and Motivation
  • Presenting the main Russian APT Groups
  • in addition to worth-mention incidents
  • The Technology
  • allows us to detect even the smallest fragments of code similarities between files
  • The Process
  • gathering samples attributed to Russia
  • classifying the samples to families and actors
  • Analyzing the data
  • Spotting interesting connections
  • Present the found connections between different families and actors
  • Code similarities - Assembly level
  • Mutual TTPs
  • other connections
  • Release two tools for the community
  • A visual and interactive map of the connections between the dozens of the families
  • A signature-based tool to detect old and new samples based on popular mutual "Genes" in the ecosystem
    • Including a dedicated ruleset to be shared with the community
  • Insights and Conclusion