Introduction
Based on feedback from fellow cyber threat intelligence (CTI) researchers, incident responders, and managed detection and response teams about my Ransomware Tool Matrix project, I decided to develop another Tool Matrix, this time focusing specifically on one particular hostile state: Russia.
As defenders, we can take advantage of the fact that Russian APT groups tend to reuse their tools. With proactive defensive strategies, we can hinder and even prevent certain adversaries from carrying out successful intrusions.
While the Russian APT Tool Matrix offers a valuable reference for identifying, detecting, and blocking tools frequently associated with Russian APTs, it also presents certain risks, as noted in the repository.
This new repository profiles several types of Russian threat groups, including adversaries associated with the GRU, SVR, and FSB. Each Russian threat group is labeled with the alias that the repository’s author believes is most widely recognized:
- Russian GRU: Main Intelligence Directorate (Russian Military)
- Russian SVR: Foreign Intelligence Service of the Russian Federation
- Russian FSB: Federal Security Service of the Russian Federation
If you’re pressed for time, you can also listen to this blog in podcast form on YouTube, created using Google’s NotebookLM.
Key Findings
Following the collection, extraction, and labelling of all the tools identified as being used by Russian threat groups, some interesting findings were uncovered. These are as follows:
The adversary that used the most scanners was EMBER BEAR, which is affiliated with the GRU. Other GRU threat groups, such as FANCY BEAR and Sandworm, were found often relying on a wide variety offensive security tools (OSTs) to support their intrusions.
Another interesting finding was that Russian threat groups using lots of different tools and platforms for exfiltration was Turla and COZY BEAR. Overall, the Russian threat group with the highest total number different tools used was COZY BEAR, which is affiliated with the SVR.
From extracting all the various tools from several years’ worth of threat reports, some general observations about how Russian threat groups used public-available resources to support their campaigns. The thing that stood out most was a large reliance on OSTs across multiple Russian threat groups. Up to 27 different OSTs were recorded. The tools mutually used by the highest number of Russian threat groups are as follows:
- Mimikatz is used by COZY BEAR, FANCY BEAR, BERSERK BEAR, Gamaredon, and Turla.
- Impacket is used by COZY BEAR, FANCY BEAR, EMBER BEAR, Sandworm, and BERSERK BEAR.
- PsExec is used by COZY BEAR, EMBER BEAR, BERSERK BEAR, Gamaredon, and Turla.
- Metasploit is used by FANCY BEAR, EMBER BEAR, Sandworm, and Turla.
- ReGeorg is used by COZY BEAR, FANCY BEAR, EMBER BEAR, and Sandworm.
If a combination of the above tools are observed during an intrusion, then that intrusion could have been conducted by a Russian state-sponsored threat group. However, using the Ransomware Tool Matrix, we know that four out of the top five tools used by Russian threat groups are also very commonly used by ransomware groups.
The network tunnelling utility ReGeorg is potentially notable for its use by multiple Russian threat groups. ReGeorg is not a well-known tool and it is often used in conjunction with a web shell to turn a compromised server into a proxy. From my collection and extraction of tools from threat reports related to the Ransomware Tool Matrix, I can confirm ReGeorg is used by virtually none of the large ransomware gangs. Therefore, if this specific tool is found during an intrusion, alongside the other top five tools mentioned above, there is arguably an increased chance it was conducted by a Russian threat group.
Russian APT Tool Matrix Project
You can find The Russian APT Tool Matrix in my GitHub repository below:
BushidoUK/Russian-APT-Tool-Matrix
A tool matrix for Russian APTs based on the Ransomware Tool Matrix 28 146