Russia-Backed APT Groups Compete With Each Other: ReportResearchers Find That State-Sponsored Cyberespionage Groups Seldom Share Code
Advanced persistent threat groups that are backed by the Russian government rarely share code with each other, fostering a competitive landscape, according to a joint research project from the security firms Check Point Research and Intezer.
"None of the connections we analyzed indicated that some pieces of code are shared between two or more organizations," according to the research report released Tuesday.
While this noncooperative approach to cyberespionage means larger investments of money and manpower for the government, it also shows that Russia is willing to continually push the limits of its sophisticated cyber capabilities, the researchers conclude.
The report says Russia has made significant investments in advanced tools, unique approaches and a solid infrastructure to support these cyberespionage efforts. The study also paints a complex picture of how military and government agencies within Russia operate.
The researchers analyzed 2,000 malware samples that were attributed to Russia-backed groups. These samples were categorized into 60 families and 200 modules.
The researchers who developed the report - Itay Cohen of Check Point and Omri Ben Bassat of Intezer - say that every organization under the Russian advanced persistent threat umbrella has its own dedicated malware development team. This arrangement has developed despite the fact that organizations may be working for years in parallel on similar malware toolkits and frameworks, the researchers say.
And while the various hacking organizations generally do not share code with each other, sharing and reusing of code among one particular group's teams often occurs, researchers say.
"The connections we analyzed showed that pieces of code such as functions, whole or partial modules and encryption schemes were shared between different teams and projects of the same actor," the researches note. "This information may suggest that different teams belonging to the same organization are aware of each other's work and operations."
To Share, Or Not to Share
Unlike the Russian hacking groups, those groups backed by China and North Korea routinely share code because it can save hundreds of man-hours and money, the researchers point out.
"Another benefit of using an existing code is that most likely, the code was tested in real-life cyber operations and the team that developed it had an experience of using and improving it," the researchers note.
Other security researchers have also noted the lack of cooperation between the various Russia-backed groups. Independent researcher Timo Steffens, who has written books on targeted attacks and advanced persistent threat groups, took to Twitter support some of the conclusions to the new research.
Often noted, but worth repeating is that sharing malware between likely Russian APT-groups is almost non-existent. The reason for this is unclear, though: Opsec or turf wars or contractor licenses?— Timo Steffens (@Timo_Steffens) September 25, 2019
The Check Point and Intezer researchers offer three theories for the lack of code sharing among Russia-backed groups.
The first possibility is that too much sharing and cooperation can lead to active operations falling apart, the researchers say.
"The price of sharing and re-using code is that when it gets caught by a security vendor or researchers, the shared pieces of code can be used to find new samples and families that are using the code. Thus, one detected family can make more operations fall apart," the report notes.
The second theory is that the Russian government, as well as the groups that it sponsors, are concerned with operational security.
"Russia is willing to invest an enormous amount of money and manpower to write similar code again and again. If this is true, this can indicate that operational security has a priceless meaning for the Russian actors," the researchers say.
A final theory about the lack of code-sharing is an old-fashion turf war among the main hacking groups over issues such as government funding and selecting campaign targets.
The three main Russian cyberespionage groups are the Russian Federal Security Service, or FSB; the Russian Foreign Intelligence Service, or SVR; and the Main Intelligence Directorate for Russia's Military, or GRU. A fourth organization is also listed in the research: the Federal Protective Services of the Russian Federation.
The researchers note that GRU, which is also known by the names Fancy Bear, APT28 and Sofacy, possesses the most sophisticated technological and operational capabilities.
Despite the groups' compartmentalized approaches, the researchers noticed some similarities in the malicious tools the groups use.
For example, the researchers noted that some code from one credential stealer developed by one group eventually found its way into different malicious tools used by a separate organization.
And while there are some connections to make between the Russia-backed groups, the researchers note: "Code similarities between samples of different actors were rare to find, and those that we did find are not unique or large enough to indicate that code or modules were actively shared."