The Russian APT Tool Matrix

-


Introduction

Based on feedback I have received from fellow CTI researchers, incident responders, and managed detection and response teams around my Ransomware Tool Matrix project, I decided to make another Tool Matrix focused on one hostile state in particular: Russia.

Again, as defenders, we should exploit the fact the tools used by these Russian APT groups are often reused and through proactive defensive work, we can frustrate and even eliminate the ability of certain adversaries to launch intrusions.

Using the Russian APT Tool Matrix comes with its own challenges. While it is undoubtedly useful to have a list of tools commonly used by Russian APTs to hunt, detect, and block, there are some risks, as noted in the repository.

The new repository also contains multiple types of Russian threat groups, this includes adversaries part of the GRU, SVR, and FSB. The alias of each Russian threat group has been chosen by what the author of this repo believes it is most well-known as.

  • Russian GRU: Main Intelligence Directorate (Russian Military)
  • Russian SVR: Foreign Intelligence Service of the Russian Federation
  • Russian FSB: Federal Security Service of the Russian Federation

Key Findings

Following the collection, extraction, and labelling of all the tools identified as being used by Russian threat groups, some interesting findings were uncovered. These are as follows:

The adversary that used the most scanners was EMBER BEAR, which is affiliated with the GRU. Other GRU threat groups, such as FANCY BEAR and Sandworm, were found often relying on a wide variety offensive security tools (OSTs) to support their intrusions.

Another interesting finding was that Russian threat groups using lots of different tools and platforms for exfiltration was Turla and COZY BEAR. Overall, the Russian threat group with the highest total number different tools used was COZY BEAR, which is affiliated with the SVR.

From extracting all the various tools from several years’ worth of threat reports, some general observations about how Russian threat groups used public-available resources to support their campaigns. The thing that stood out most was a large reliance on OSTs across multiple Russian threat groups. Up to 27 different OSTs were recorded. The tools mutually used by the highest number of Russian threat groups are as follows:

  • Mimikatz is used by COZY BEAR, FANCY BEAR, BERSERK BEAR, Gamaredon, and Turla.
  • Impacket is used by COZY BEAR, FANCY BEAR, EMBER BEAR, Sandworm, and BERSERK BEAR.
  • PsExec is used by COZY BEAR, EMBER BEAR, BERSERK BEAR, Gamaredon, and Turla.
  • Metasploit is used by FANCY BEAR, EMBER BEAR, Sandworm, and Turla.
  • ReGeorg is used by COZY BEAR, FANCY BEAR, EMBER BEAR, and Sandworm.

If a combination of the above tools are observed during an intrusion, then that intrusion could have been conducted by a Russian state-sponsored threat group. However, using the Ransomware Tool Matrix, we know that four out of the top five tools used by Russian threat groups are also very commonly used by ransomware groups.

The network tunnelling utility ReGeorg is potentially notable for its use by multiple Russian threat groups. ReGeorg is not a well-known tool and it is often used in conjunction with a web shell to turn a compromised server into a proxy. From my collection and extraction of tools from threat reports related to the Ransomware Tool Matrix, I can confirm ReGeorg is used by virtually none of the large ransomware gangs. Therefore, if this specific tool is found during an intrusion, alongside the other top five tools mentioned above, there is arguably an increased chance it was conducted by a Russian threat group.

Russian APT Tool Matrix Project

You can find The Russian APT Tool Matrix in my GitHub repository below:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on
Read more