Russia Chooses Resiliency Over Efficiency in Cyber Ops

New analysis of the software used by espionage groups linked to Russia finds little overlap in their development, suggesting that the groups are siloed.

Russian cyber espionage groups surprisingly do not share much code in their development, suggesting that the nations various attack groups are isolated from one other, according to new analysis by security firm Check Point Software Technologies and machine-learning startup Intezer.
The companies analyzed more than 2,000 code samples, reverse engineering them to remove common open-source code, and then comparing the non-public code samples — the genes, in Intezers parlance — to determine shared roots of the software. A map created from the data shows shared code within groups, but only a few connections between software thought to be used by different groups.
We were surprised to see these notable disconnections between different actors, says Itay Cohen, a researcher and reverse engineer with Check Point. This shows that Russia is willing to invest a lot of money in these operations to make sure that ... if one groups malware is detected, and a defense created, it wont cause problems for other groups.
The report is the perhaps the first broad analysis of potential code similarities between the various tools used by groups thought to be connected to the Russian government. Check Point and Intezer focused on a dozen different groups, including the major Turla, Sofacy, and Black Energy espionage groups, finding that only in a few cases did the groups appear to share code.
The analysis discovered 22,000 connections between the samples, including almost 4 million shared code samples. The analysis grouped the samples into 200 different modules and 60 different families,
the report stated
.
The conclusion: The coders behind the Russian advanced persistant threat (APT) infrastructure are largely distributed and unconnected to each other.
Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks, the researchers stated. Knowing that a lot of these toolkits serve the same purpose, it is possible to spot redundancy in this parallel activity.
The
interactive map
created by the company illustrates the commonality between the different groups. Black Energy has almost a dozen components that share a great deal of code, creating a tight group on the visualization of the data.
Each edge represents similar code between two families: it could be a lot of code, or just one function, Cohen says. We released this information open source, so other researchers can investigate the connections themselves.
The companies originally thought that the groups would have more shared code because that would be more efficient and less costly. Instead, each of the twelve groups seem to be independent of each other, which means that the nation is likely paying significant development costs, says Cohen.
Different people worked on the same functionality for different development efforts, he says. So it obviously cost a lot of money, because there is redundant code being used.
Along with
MITREs Att&ck framework
, the effort is one of the few to try to make sense of the landscape of APTs, rather than mostly analyzing specific threats. To date, security firms typically focus on reverse engineering the tools and techniques used in major campaigns, such as whether Fancy Bears tools have become
more complex or more simple
, or the amount of profit
North Korea has made from its cyber operations
.
Too Many Names
In the report, Check Point and Intezers researchers criticized the security industry for the frustrating failure to settle on a common naming standard for advanced persistent threats. The group known as
Fancy Bear by Crowdstrike
, for example, is called APT28 by FireEye, Sofacy by Kaspersky Lab, and Pawn Storm and TG-4127 by Secureworks. Without a common lexicon for such threats, any analysis has to connect all the disparate names for the same threats, the researchers stressed.
Every Russian APT actor and every malware family have more than a few names given to them by different vendors, researchers, and intelligence institutions, the report stated. Some names will be used by different vendors to describe different families; some malware families would be described with different names by the same vendor; other malware families simply do not have a clear name.
The report relies heavily on other security firms and threat researchers attribution of code and modules to specific groups. While Check Point and Intezer connected code based on their similarities, the attribution of that code came from other groups. The older BlackEnergy and more recent Energetic Bear, for example, both had a matching sample of code that hides the attackers tracks by deleting the tool, but that code likely came from a public source, the report stated.
Despite the fact that self-delete functions are pretty common in malware, it is rare to see an exact 1:1 match in the binary level, which matches only for these two malware families out of all the malware families indexed, the report stated.
As part of the research, the companies released a tool - dubbed the Russian APT Detector - that uses the code signatures to detect programs involved in Russian-attributed espionage.
Related Content:
Fancy Bear Dons Plain Clothes to Try to Defeat Machine Learning
Saudi IT Providers Hit in Cyber Espionage Operation
Russian Nation-State Hacking Units Tools Get More Fancy
North Korean Cyber Ops Reportedly Stole $2B to Fund Weapons Programs

Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
The 20 Worst Metrics in Cybersecurity
”

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Russia Chooses Resiliency Over Efficiency in Cyber Ops