Russian APT Map Reveals 22,000 Connections Between 2000 Malware Samples

Though Russia still has an undiversified and stagnant economy, it was one of the early countries in the world to realize the value of remotely conducted cyber intrusions.

In recent years, many Russia hacking groups have emerged as one of the most sophisticated nation-state actors in cyberspace, producing highly specialized hacking techniques and toolkits for cyber espionage.

Over the past three decades, many high profile hacking incidents—like hacking the US presidential elections, targeting a country with NotPetya ransomware, causing blackout in Ukrainian capital Kiev, and Pentagon breach—have been attributed to Russian hacking groups, including Fancy Bear (Sofacy), Turla, Cozy Bear, Sandworm Team and Berserk Bear.

Besides continuously expanding its cyberwar capabilities, the ecosystem of Russian APT groups has also grown into a very complex structure, making it harder to understand who’s who in Russian cyber espionage.

Now to illustrate the big picture and make it easier for everyone to understand the Russian hackers and their operations, researchers from Intezer and Check Point Research joint their hands to release a web-based, interactive map that gives a full overview of this ecosystem.

Dubbed “Russian APT Map,” the map can be used by anyone to learn information about the connections between different Russian APT malware samples, malware families, and threat actors—all just clicking on nodes in the map.

“The [Russian APT] map is basically a one-stop-shop for anyone who is interested to learn and understand the connections and attributions of the samples, modules, families, and actors that together comprise this ecosystem,” researchers told The Hacker News.

“By clicking on nodes in the graph, a side panel will reveal, containing information about the malware family the node belongs to, as well as links to analysis reports on Intezer’s platform and external links to related articles and publications.”

At its core, the Russian APT Map is the result of comprehensive research where researchers gathered, classified and analyzed more than 2,000 malware samples attributed to Russian hacking groups, and mapped nearly 22,000 connections between them based on 3.85 million pieces of code they shared.

“Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks. Knowing that a lot of these toolkits serve the same purpose, it is possible to spot redundancy in this parallel activity.”

Russian APT Map also reveals that though most of the hacking groups were re-using their own code in their own different tools and frameworks, no different groups were found using each other’s code.

“By avoiding different organizations re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations, preventing a sensitive house of cards from collapsing,” researchers say.

“Another hypothesis is that different organizations do not share code due to internal politics.”

To make it more efficient and up-to-date in the future, researchers have also open-sourced the map and the data behind it.

Besides this, researchers have also released a Yara rules-based scanning tool, dubbed “Russian APT Detector,” that can be used by anyone to scan a specific file, a folder, or a whole file system and search for infections by Russian hackers.