The Russian ICC (IX): APT groups

russian-malware-analysis-temp-770x513We have talked so far about the main services that make up the Russian intelligence community in its cyber domain and we will continue to describe in successive posts the rest of the complex Russian ecosystem but, where are the allegedly Russian APTs? Groups known to everyone, such as APT28 (FancyBear, Sofacy …) or APT29 (CozyBear, The Dukes …), must be somehow related to this community … if they are not part of it, right?

These groups, APT28 and APT29 (we will call them that, although we take the opportunity to ask for an ISO standard for naming APT groups, which each have a dozen) are undoubtedly the best known in the Russian panorama, FireEye [5] and [6]. So, are they units of any of the Russian services listed above? Are they mercenaries who sell their work to the highest bidder? Are they organized groups that provide information in exchange for impunity? Are they the result of false flag operations of a third party? We neither know nor might ever know… However, as it is impossible, we will evaluate in this post, or at least try to (remember that attribution is always hypothetical, that’s why we like it so much ;) , some of the elements that allow us to relate these groups to the Russian services. There are more supposedly Russian groups, such as Turla; we’ll talk about them in another post…

APT28 and APT29

The first question we need to ask about these groups is whether they are really Russian; most technical indicators show that they are: from the hours and dates of compilation of their arsenal, coinciding in great part with the working hours of Moscow and Saint Petersburg, to the codification and languages used in good part of their artifacts. However, here we encounter the great problem of attribution, i.e., we approach it from artifacts left, voluntarily or involuntarily, by the attacker. Can a man from Cuenca know Russian – even colloquial -, change the time of his team to fix it in the schedule we referred to or configure the system in Russian? Without any problem. Could these groups be from Cuenca, then? Of course.

Although the technical indicators are easily alterable, they are what we have to work with; both in APT28 and in APT29 analysts identify not a man from Cuenca, but a structured group with separate responsibilities, with established development methodologies … something that we could call a malware factory. That is to say, a powerful organization is identified behind, an organization that could be an independent group, a unit of a particular service, a company … from Moscow, St. Petersburg or Cuenca.

Information needs, and therefore the objectives of these groups are more difficult to falsify than purely technical indicators (eye, but it is not impossible to do so); in the case of these groups, their victims are compatible with the information needs of the Russian government, which will be discussed in detail in this series of posts, both geographically and operationally. Falsifying this would be much more costly for a third party- we insist, but NOT impossible when we speak of an actor with many capacities, as a state; therefore, if the technical indicators point to Russia, the targets and victims point to Russia and the information needs reflected coincide with the supposedly Russian ones ([8]), the probability that APT28 and APT29 have Russian roots is HIGH. Can we confirm 100%? Of course not.


The usual tactics, techniques and procedures associated with APT29 go through the attack through phishing directed at the victim, with a link in the mail to download a dropper that, when executed, will in turn download a RAT; on the other hand, APT28 works more with the creation of fraudulent web pages similar in aspect to those of its objectives, with names of domains close to the legitimate ones, for theft of credentials. The APT28 arsenal is based mainly on the exploitation of Microsoft and Adobe products, as well as that of APT29, in both cases due to the popularity of these environments and therefore the success in its exploitation; however, APT28 uses more vulnerabilities without known exploits than APT29 ([2]) and its catalog is much larger than the latter, which could imply both a greater number of resources and a greater experience in the area of cyberspace on the part of APT28 than APT29, but on the contrary APT29 is very discreet and has a very high persistence target. In any case, both groups are technically excellent and their catalog of vulnerabilities rarely overlaps, denoting the separation (and competition) of both, and which would be compatible with the separation (and competition) of Russian services which we have already mentioned in this series of posts. In addition, some of the vulnerabilities exploited by APT28 and APT29 in their campaigns are also exploited by groups linked to cybercrime ([2]), which can range from a distraction maneuver to something that may reinforce the theory of close linkage between the Russian cyber-intelligence community and other actors in their environment, as discussed later in this series of posts.

In both cases, work methodologies, technical capacities, operational infrastructure and operational security (OPSEC) … indicate that APT28 and APT29 are not individual attackers or groups that are not well organized, but groups with a considerable amount of resources, stable in time and with a perfectly defined structure and operation. Supported by a state? Direct part of said state? In [8] we found an excellent analysis. The probability is HIGH, since few organizations can have these capabilities but, as always, we cannot confirm with certainty.


Among the objectives of APT28 are sectors such as aerospace, defense, energy, public administrations and media (remember the handling of information in Russian strategies and doctrines), with a special affection for the ministries of Defense and organizations of the former sectors linked to the military environment ([1]) that coincidentally reflect the interests of Russian military intelligence; In [5], a report where FireEye identifies this group as APT28, details some of the objectives – and of the victims – of APT28, emphasizing their operational interest in the areas close to the military and, in addition, their interest in the control of the information on issues relevant to Russia, somewhat aligned with the broad concept of Russian information warfare that we have referred in previous posts. APT28 does not address intellectual property theft, and in addition, compromised countries correspond to the main Russian geopolitical interests – which we will comment on in future posts – and the objectives are compatible with both the Russian origin of the group and the possible proximity of the same with the military field; in other words, APT28 and GRU share information needs and objectives, so maybe, just maybe, they have some kind of relationship. Is APT28 a GRU unit? We do not know. Is it an external group paid for by the GRU? We do not know. Is it a group from Cuenca? We do not know…

On the other hand, APT29 expands the objectives of its competitor, partially disconnecting them from the military to focus not only on this, but also in sectors such as pharmaceuticals, financial or technology, to mention just a few examples, as well as NGOs and even in criminal organizations ([7]). This last element is very significant, since it could reflect the police attributions, and thus the information needs, of the Russian FSB, while the attack on different NGOs implies – or may imply – political, economic or information control interests .
In line with a service like the FSB … or in line with a fake flag operation from Cuenca.

A recent example

Undoubtedly, the most recent case most rumored of alleged compromises by Russian APTs, this time by both APT28 and APT29, is the US Democratic National Committee (DNC) in 2016, and its potential influence on the results of the Election campaign, incident described to perfection in [3]; Crowdstrike revealed the presence of both groups in DNC systems, with greater persistence by APT29, and leaving their competitors among these groups: they do not share TTPs, nor vulnerabilities, nor resources … but sometimes they share goals. To the technical elements for the attribution to the Russian services, analyzed by companies like the previous one (and later reinforced by others like FireEye or Fidelis) the surprise appearance of Guccifer 2.0 is joined, a presumably false identity (a sockpuppet) compatible with the Russian military doctrine and completely aligned with the broad concept of information warfare that we have already mentioned and which includes deception, misinformation, etc. An excellent analysis of this sockpuppet and its potential relationship with a false GRU flag operation can be found in [4].


We have seen in this post that everything indicates that APT28 and APT29 are of Russian origin and possibly have the support of a government for its activities, two hypotheses of HIGH probability. The information needs of both groups are compatible with the information needs of the Russian government, and its objectives also coincide with the concerns of the Russian government in different areas. They do not share intelligence or arsenals, which would be compatible with the separation of the different Russian intelligence services if APT28 and APT29 were linked to some of them, but they do share objectives: the final result, intelligence, would be of higher quality. According to different analysts, APT28 may be related to Russian military intelligence, the GRU, while APT29 would be related to the FSB. It may be so. Or maybe not. Many times one comes to the conclusion that names like APT28, PawnStorm, APT29, Snake … are just the elegant way we have of saying FSB, GRU, FSO … when we do not have enough evidence to confirm the implication of these services in certain operations. In any case, if APT28 really corresponds to a unit of the GRU and APT29 with a unit of the FSB (or vice versa, as defended [9]) is something that we, of course, do not know for sure or think we can know in the short term: everything is a hypothesis. Perhaps, right now there is a man in Cuenca, very smart and organized, with many resources, listening to Radio Moscow to perfect a foreign language and configuring his computer with the St. Petersburg time zone while laughing at all the analysts of the world.


[1] Dmitri Alperovitch. Bears in the Midst: Intrusion into the Democratic National Committee. CrowdStrike. Junio, 2016.
[2] RFSID. Running for Office: Russian APT Toolkits Revealed. Agosto, 2016.
[3] Eric Lipton, David E. Sanger, Scott Shane. The Perfect Weapon: How Russian Cyberpower Invaded the U.S. New York Times. Diciembre, 2016.
[4] Thomas Rid. All Signs Point to Russia Being Behind the DNC Hack. Motherboard. Julio, 2016.
[5] FireEye. APT28: A window into Russia’s cyber espionage operations? FireEye. Octubre, 2014.
[6] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. FireEye. Julio, 2015.
[7] F-Secure. THE DUKES. 7 years of Russian cyberespionage. F-Secure. Septiembre, 2015.
[8] Jen Weedon. Beyond ‘Cyber War’: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine. Kenneth Geers (Ed.), Cyber War in Perspective: Russian Aggression against Ukraine. NATO CCD COE Publications. Tallinn. 2015.
[9] Malcolm Nance. The plot to hack America: How Putin’s cyberspies and WikiLeaks tried to steal the 2016 election. Sky horse Publishing, 2016.

Image courtesy of Indian Strategic Studies.

See also in: