The Russian ICC (IX): APT groups

russian-malware-analysis-temp-770x513We have talked so far about the main services that make up the Russian intelligence community in its cyber domain and we will continue to describe in successive posts the rest of the complex Russian ecosystem but, where are the allegedly Russian APTs? Groups known to everyone, such as APT28 (FancyBear, Sofacy …) or APT29 (CozyBear, The Dukes …), must be somehow related to this community … if they are not part of it, right?

These groups, APT28 and APT29 (we will call them that, although we take the opportunity to ask for an ISO standard for naming APT groups, which each have a dozen) are undoubtedly the best known in the Russian panorama, FireEye [5] and [6]. So, are they units of any of the Russian services listed above? Are they mercenaries who sell their work to the highest bidder? Are they organized groups that provide information in exchange for impunity? Are they the result of false flag operations of a third party? We neither know nor might ever know… However, as it is impossible, we will evaluate in this post, or at least try to (remember that attribution is always hypothetical, that’s why we like it so much ;) , some of the elements that allow us to relate these groups to the Russian services. There are more supposedly Russian groups, such as Turla; we’ll talk about them in another post…

APT28 and APT29

The first question we need to ask about these groups is whether they are really Russian; most technical indicators show that they are: from the hours and dates of compilation of their arsenal, coinciding in great part with the working hours of Moscow and Saint Petersburg, to the codification and languages used in good part of their artifacts. However, here we encounter the great problem of attribution, i.e., we approach it from artifacts left, voluntarily or involuntarily, by the attacker. Can a man from Cuenca know Russian – even colloquial -, change the time of his team to fix it in the schedule we referred to or configure the system in Russian? Without any problem. Could these groups be from Cuenca, then? Of course.

Although the technical indicators are easily alterable, they are what we have to work with; both in APT28 and in APT29 analysts identify not a man from Cuenca, but a structured group with separate responsibilities, with established development methodologies … something that we could call a malware factory. That is to say, a powerful organization is identified behind, an organization that could be an independent group, a unit of a particular service, a company … from Moscow, St. Petersburg or Cuenca.

Information needs, and therefore the objectives of these groups are more difficult to falsify than purely technical indicators (eye, but it is not impossible to do so); in the case of these groups, their victims are compatible with the information needs of the Russian government, which will be discussed in detail in this series of posts, both geographically and operationally. Falsifying this would be much more costly for a third party- we insist, but NOT impossible when we speak of an actor with many capacities, as a state; therefore, if the technical indicators point to Russia, the targets and victims point to Russia and the information needs reflected coincide with the supposedly Russian ones ([8]), the probability that APT28 and APT29 have Russian roots is HIGH. Can we confirm 100%? Of course not.

TTP

The usual tactics, techniques and procedures associated with APT29 go through the attack through phishing directed at the victim, with a link in the mail to download a dropper that, when executed, will in turn download a RAT; on the other hand, APT28 works more with the creation of fraudulent web pages similar in aspect to those of its objectives, with names of domains close to the legitimate ones, for theft of credentials. The APT28 arsenal is based mainly on the exploitation of Microsoft and Adobe products, as well as that of APT29, in both cases due to the popularity of these environments and therefore the success in its exploitation; however, APT28 uses more vulnerabilities without known exploits than APT29 ([2]) and its catalog is much larger than the latter, which could imply both a greater number of resources and a greater experience in the area of cyberspace on the part of APT28 than APT29, but on the contrary APT29 is very discreet and has a very high persistence target. In any case, both groups are technically excellent and their catalog of vulnerabilities rarely overlaps, denoting the separation (and competition) of both, and which would be compatible with the separation (and competition) of Russian services which we have already mentioned in this series of posts. In addition, some of the vulnerabilities exploited by APT28 and APT29 in their campaigns are also exploited by groups linked to cybercrime ([2]), which can range from a distraction maneuver to something that may reinforce the theory of close linkage between the Russian cyber-intelligence community and other actors in their environment, as discussed later in this series of posts.

In both cases, work methodologies, technical capacities, operational infrastructure and operational security (OPSEC) … indicate that APT28 and APT29 are not individual attackers or groups that are not well organized, but groups with a considerable amount of resources, stable in time and with a perfectly defined structure and operation. Supported by a state? Direct part of said state? In [8] we found an excellent analysis. The probability is HIGH, since few organizations can have these capabilities but, as always, we cannot confirm with certainty.

Goals

Among the objectives of APT28 are sectors such as aerospace, defense, energy, public administrations and media (remember the handling of information in Russian strategies and doctrines), with a special affection for the ministries of Defense and organizations of the former sectors linked to the military environment ([1]) that coincidentally reflect the interests of Russian military intelligence; In [5], a report where FireEye identifies this group as APT28, details some of the objectives – and of the victims – of APT28, emphasizing their operational interest in the areas close to the military and, in addition, their interest in the control of the information on issues relevant to Russia, somewhat aligned with the broad concept of Russian information warfare that we have referred in previous posts. APT28 does not address intellectual property theft, and in addition, compromised countries correspond to the main Russian geopolitical interests – which we will comment on in future posts – and the objectives are compatible with both the Russian origin of the group and the possible proximity of the same with the military field; in other words, APT28 and GRU share information needs and objectives, so maybe, just maybe, they have some kind of relationship. Is APT28 a GRU unit? We do not know. Is it an external group paid for by the GRU? We do not know. Is it a group from Cuenca? We do not know…

On the other hand, APT29 expands the objectives of its competitor, partially disconnecting them from the military to focus not only on this, but also in sectors such as pharmaceuticals, financial or technology, to mention just a few examples, as well as NGOs and even in criminal organizations ([7]). This last element is very significant, since it could reflect the police attributions, and thus the information needs, of the Russian FSB, while the attack on different NGOs implies – or may imply – political, economic or information control interests .
In line with a service like the FSB … or in line with a fake flag operation from Cuenca.

A recent example

Undoubtedly, the most recent case most rumored of alleged compromises by Russian APTs, this time by both APT28 and APT29, is the US Democratic National Committee (DNC) in 2016, and its potential influence on the results of the Election campaign, incident described to perfection in [3]; Crowdstrike revealed the presence of both groups in DNC systems, with greater persistence by APT29, and leaving their competitors among these groups: they do not share TTPs, nor vulnerabilities, nor resources … but sometimes they share goals. To the technical elements for the attribution to the Russian services, analyzed by companies like the previous one (and later reinforced by others like FireEye or Fidelis) the surprise appearance of Guccifer 2.0 is joined, a presumably false identity (a sockpuppet) compatible with the Russian military doctrine and completely aligned with the broad concept of information warfare that we have already mentioned and which includes deception, misinformation, etc. An excellent analysis of this sockpuppet and its potential relationship with a false GRU flag operation can be found in [4].

Conclusions

We have seen in this post that everything indicates that APT28 and APT29 are of Russian origin and possibly have the support of a government for its activities, two hypotheses of HIGH probability. The information needs of both groups are compatible with the information needs of the Russian government, and its objectives also coincide with the concerns of the Russian government in different areas. They do not share intelligence or arsenals, which would be compatible with the separation of the different Russian intelligence services if APT28 and APT29 were linked to some of them, but they do share objectives: the final result, intelligence, would be of higher quality. According to different analysts, APT28 may be related to Russian military intelligence, the GRU, while APT29 would be related to the FSB. It may be so. Or maybe not. Many times one comes to the conclusion that names like APT28, PawnStorm, APT29, Snake … are just the elegant way we have of saying FSB, GRU, FSO … when we do not have enough evidence to confirm the implication of these services in certain operations. In any case, if APT28 really corresponds to a unit of the GRU and APT29 with a unit of the FSB (or vice versa, as defended [9]) is something that we, of course, do not know for sure or think we can know in the short term: everything is a hypothesis. Perhaps, right now there is a man in Cuenca, very smart and organized, with many resources, listening to Radio Moscow to perfect a foreign language and configuring his computer with the St. Petersburg time zone while laughing at all the analysts of the world.

References

[1] Dmitri Alperovitch. Bears in the Midst: Intrusion into the Democratic National Committee. CrowdStrike. Junio, 2016. https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
[2] RFSID. Running for Office: Russian APT Toolkits Revealed. Agosto, 2016. https://www.recordedfuture.com/russian-apt-toolkits/
[3] Eric Lipton, David E. Sanger, Scott Shane. The Perfect Weapon: How Russian Cyberpower Invaded the U.S. New York Times. Diciembre, 2016. http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html
[4] Thomas Rid. All Signs Point to Russia Being Behind the DNC Hack. Motherboard. Julio, 2016. http://motherboard.vice.com/read/all-signs-point-to-russia-being-behind-the-dnc-hack
[5] FireEye. APT28: A window into Russia’s cyber espionage operations? FireEye. Octubre, 2014. https://www2.fireeye.com/apt28.html
[6] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. FireEye. Julio, 2015. https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
[7] F-Secure. THE DUKES. 7 years of Russian cyberespionage. F-Secure. Septiembre, 2015. https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
[8] Jen Weedon. Beyond ‘Cyber War’: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine. Kenneth Geers (Ed.), Cyber War in Perspective: Russian Aggression against Ukraine. NATO CCD COE Publications. Tallinn. 2015.
[9] Malcolm Nance. The plot to hack America: How Putin’s cyberspies and WikiLeaks tried to steal the 2016 election. Sky horse Publishing, 2016.

Image courtesy of Indian Strategic Studies.

The Russian ICC (VIII): GRU

gru_emblemThe only major Russian service which, as we have indicated, is not a direct heir of the KGB is the GRU (Glavnoye Razvedyvatelnoye Upravlenie), military unit 44388, whose aim is to provide intelligence to the Ministry of Defense, the military leadership and Russian armed forces as a whole. This service is dedicated to military intelligence, from strategic to operational, working not only in an exclusive sense of defense, but also encompassing other aspects such as politics or economy linked to the military sphere, and especially foreign intelligence – sometimes with the SVR. Since 1996, it has been entrusted with the mission of acquiring information on ecology and the environment. In order to execute these tasks, the GRU has all kinds of capabilities, from IMINT to HUMINT, through OSINT and, of course, SIGINT, capabilities that give it a sphere of action and international influence and that allow the GRU to “act in any point of the world where the need might arise, “according to statements by General Valentin Vladimirovich Korabelnikov, in an interview granted in 2006, when he was Director of GRU.

The GRU is undoubtedly the most opaque of Russian services and arguably the best of them; it is a group that maintains certain Soviet reminiscences – remember that it survived the KGB – and even that it considers “westernized” other services like the FSB. As a matter of curiosity, the GRU recruits its agents among the “proletarian” classes, preferably personnel without knowledge of languages, and among its supposed tasks is to bury weapons in hostile territory to be able to use them in case of conflict. It does not have a counterintelligence service (a function carried out by the FSB) or a press office (actually, the GRU is no more than a General Directorate within the Russian Ministry of Defense) or an official website ([1]). Thanks to its work methods, it is the intelligence service that has had the least deserters in Soviet and Russian history.

The GRU was directed by General Igor Sergun until January 2016, but after the sudden death of the General (nothing mysterious, just a heart attack), since February 2016, General Igor Korobov is in command. In both cases they are General Lieutenants, three stars, in front of the Army Generals of the FSB or the FSO. Although the personnel and budget data of the GRU are obviously classified, it is estimated that more than 25,000 staff members make up this service. In relation to its annual budget, no significant information has been found in public sources, the data being always masked in general budgets of the Russian Ministry of Defense.

As indicated, the GRU is a General Directorate of the Russian Ministry of Defense. It is structured in fifteen directions ([2]), focusing the cyber capacities of the GRU in the Second Direction and in the Sixth Direction, as well as in the Eighth Department, responsible for the security of internal communications of the GRU. The Sixth Direction is responsible for electronic intelligence, and historically it has been an active group in this area, operating signal interception stations from Cuba to Vietnam, passing of course by legal residencies of the GRU in different countries. Apparently, this GRU Directorate has the closest capabilities, especially in the military field, which we call CNO, and is capable of intercepting signal information around the world. This Sixth Direction is composed of at least four divisions ([3]); The First Division is dedicated to SIGINT (in this one the GRU Decrypt Service is framed) and the Second to ELINT, while the Third Division is responsible for the maintenance of the interception equipment and the Fourth is focused on the permanent tracing of signals. The Second Division (which includes GRU Special Forces, Spetsnaz) has seven major divisions, three of which directly relate to SIGINT, encryption and communications security at a more operational level than the Second.

In addition to the GRU, the Russian Ministry of Defense has more capabilities focused on electronic warfare, cybersecurity or computer security with a complex structure, detailed structure in the excellent reference [4] that we have already cited in previous posts in this series. For example, Military Unit 11135, 18th CRI (Central Research Institute) is the main signal intelligence research capability of the Russian Ministry of Defense, including research and development in wireless devices, SCADA systems or electromagnetic protection systems. Also as a research institute is Unit 01168, 27th CRI, in this case in the field of information technologies and command and control systems.

References
[1] Konstantin Preobrazhensky. GRU: Obscure Part of Russian Intelligence. Journal of Defense Management. Volume 2. Issue 2. Marzo, 2012.
[2] Richard Bennett. Espionage: Spies and Secrets. Virgin Digital, 2012.
[3] Andrew Jones, Gerald L. Kovacich. Global Information Warfare: The New Digital Battlefield. Segunda edición. CRC Press, 2016.
[4] Jeffrey Car. Inside Cyber Warfare: Mapping the Cyber Underworld. 2nd Edition. O’Reilly, 2011.

The Russian ICC (VII): FSO

e1470_fsoAnother of the heirs of the FAPSI is the FSO (Federal’naya Sluzhba Okhrani), identified in [1] as military unit 32152 and headed since May of this year by Major General Dmitry Kochnev (his predecessor, Evgeny Murov, was General of the Army, two ranks higher, and this in the Russian services is very important). Murov obtained very important FAPSI attributions: with more than 20,000 troops today (supposedly, since it is classified information, and various sources speak of more than 50,000), the FSO inherited and expanded the KGB’s Ninth Address, with responsibility for the protection of governmental “goods”, in the broadest sense of the word. For example, the Presidential Security Service, the PBS-Putin’s bodyguards, or control of the famous Russian nuclear briefcase depend on the FSO, as well as the operation of a secure network for the transmission of election results, GAS Vybory (Information is, obviously, an asset to be protected). Specifically, from a cyber point of view, this service has assumed, among other capacities, those associated with strategic SIGINT, the guarantee of exploitation of state systems – especially regarding its protection against foreign services – and the security of National classified information ([2]), which includes presidential communications: the FSO provides secure communications at a very high level, for example between the Kremlin and the main Russian military commanders, giving it enormous control power for the control of information …

The Spetssvyaz is framed within the FSO since 2004 (previously belonging to the FSB), the Special Information and Communications Service (SSSI), which is currently considered by some analysts to be the Russian equivalent of the US NSA (Although the intelligence community of both countries are different and therefore the NSA allocations are spread among Russian agencies). This group develops the above-mentioned cyber powers of the Service and includes at least one Directorate for the management of civilian government communications, another for the management of military government communications, a General Directorate for information resources (apparently dedicated to the protection of information in itself, in its broadest sense) and another Directorate-General for Information Systems ([3]), dedicated to the protection of systems dealing with data. The Director of Spetssvyaz, Alexey Mironov, is also Deputy Director of the FSO, a young General, who was to replace Evgeny Murov at the helm of the service after his retirement … until GD Kochnev was appointed for that post; an unexpected action for many and of course unusual, especially because of Kochnev’s engagement …

A curiosity: the FSO ordered in 2013 the purchase of typewriters (yes, typewriters, good old-fashioned ones) after some scandals of data theft – assumptions – by third parties, to avoid leakage of information. Another curiosity: Spetssvyaz records Internet domains in an open way: kremlin.ru, gov.ru, ру.рф, da-medvedev.ru … Although we are attracted by the fact (not only by the fact itself, but also by some of the Registered domains) they are not the only ones that do it: services closer to us follow or have followed the same open philosophy … at least in some cases. We will speak in some registry post of certain “curious” domains, near and far from here :)

References

[1] Jeffrey Car. Inside Cyber Warfare: Mapping the Cyber Underworld. 2nd Edition. O’Reilly, 2011.
[2] President of the Russian Federation. Strategy for the national security of the Russian Federation up to 2020. Mayo, 2009.
[3] Jonathan Littell. The Security Organs of the Russian Federation. A brief history 1991-2005. Post-Soviet Armies Newsletter. Psan Publishing House, 2006.

The Russian ICC (VI): SVR

150px-svrlogoThe SVR (Sluzhba Vneshney Razvedki) was the first heir of the KGB with its own entity, inheriting the attributions of the First General Directorate; is responsible for Russian foreign intelligence, providing the national authorities with intelligence that can benefit Russia in different areas that have evolved from the military and defense (especially the 1990s) to technological, industrial, scientific and economic areas. To achieve this goal the SVR is based primarily on HUMINT capabilities, both open and clandestine, theoretically relying on the GRU -which we will see in a coming post- for its signals intelligence needs.

In this SIGINT area the SVR works together with the GRU in strategic intelligence (at least in theory, since the rivalry between Russian agencies is well known: let us remember the “joint” operation of the SVR with the GRU of the SIGINT station in Lourdes, Cuba), as opposed to the more operative intelligence of the FSB; the main objective of the SVR, irrespective of the discipline used, is the acquisition of information and development of intelligence about the capabilities, actions, plans, intentions… both real and potential of third countries against the vital interests of the Russian Federation (as we have mentioned, even economic ones).

[Read more…]