The Russian APT Tool Matrix
Introduction
Based on feedback I have received from fellow CTI
researchers, incident responders, and managed detection and response teams
around my Ransomware
Tool Matrix project, I decided to make another Tool Matrix focused on one hostile
state in particular: Russia.
Again, as defenders, we should exploit the fact the tools
used by these Russian APT groups are often reused and through proactive defensive
work, we can frustrate and even eliminate the ability of certain adversaries to
launch intrusions.
Using the Russian APT Tool Matrix comes with its own
challenges. While it is undoubtedly useful to have a list of tools commonly
used by Russian APTs to hunt, detect, and block, there are some risks, as noted
in the repository.
The new repository also contains multiple types of Russian threat
groups, this includes adversaries part of the GRU, SVR, and FSB. The alias of
each Russian threat group has been chosen by what the author of this repo
believes it is most well-known as.
- Russian GRU: Main Intelligence Directorate (Russian Military)
- Russian SVR: Foreign Intelligence Service of the Russian Federation
- Russian FSB: Federal Security Service of the Russian Federation
Key Findings
Following the collection, extraction, and labelling of all
the tools identified as being used by Russian
threat groups, some interesting findings were uncovered. These are as
follows:
The adversary that used the most scanners was EMBER BEAR, which
is affiliated with the GRU. Other GRU threat groups, such as FANCY BEAR and
Sandworm, were found often relying on a wide variety offensive security tools
(OSTs) to support their intrusions.
Another interesting finding was that Russian threat groups
using lots of different tools and platforms for exfiltration was Turla and COZY
BEAR. Overall, the Russian threat group with the highest total number different
tools used was COZY BEAR, which is affiliated with the SVR.
From extracting all the various
tools from several years’ worth of threat reports, some general
observations about how Russian threat groups used public-available resources to
support their campaigns. The thing that stood out most was a large reliance on OSTs
across multiple Russian threat groups. Up to 27 different OSTs were recorded. The
tools mutually used by the highest number of Russian threat groups are as
follows:
- Mimikatz is used by COZY BEAR, FANCY BEAR, BERSERK BEAR, Gamaredon, and Turla.
- Impacket is used by COZY BEAR, FANCY BEAR, EMBER BEAR, Sandworm, and BERSERK BEAR.
- PsExec is used by COZY BEAR, EMBER BEAR, BERSERK BEAR, Gamaredon, and Turla.
- Metasploit is used by FANCY BEAR, EMBER BEAR, Sandworm, and Turla.
- ReGeorg is used by COZY BEAR, FANCY BEAR, EMBER BEAR, and Sandworm.
If a combination of the above tools are observed during an
intrusion, then that intrusion could have been conducted by a Russian state-sponsored
threat group. However, using the Ransomware Tool Matrix, we know that four out
of the top five tools used by Russian threat groups are also very commonly used
by ransomware groups.
The network tunnelling utility ReGeorg is potentially notable for
its use by multiple Russian threat groups. ReGeorg is not a well-known tool and
it is often used in conjunction with a web shell to turn a compromised server
into a proxy. From my collection and extraction of tools from threat reports related
to the Ransomware Tool Matrix, I can confirm ReGeorg is used by virtually none
of the large ransomware gangs. Therefore, if this specific tool is found during
an intrusion, alongside the other top five tools mentioned above, there is
arguably an increased chance it was conducted by a Russian threat group.
Russian APT Tool Matrix Project
You can find The Russian APT Tool Matrix in my GitHub repository below: