Unpacking the Matryoshka dolls behind Kremlin-backed cybercrime campaigns
State-sponsored Russian cyber espionage groups are among the most sophisticated of the nation-state threat actors, with an added flair for deception that makes them the canniest of adversaries.
Experts quizzed by The Daily Swig said that Russian cyber-threat actors are among the best in the world, on a par with the top groups operating out of China, and with similar capabilities to western intelligence agencies – especially those with close links to the Federal Security Service (FSB) or military.
What are the techniques and tactics of Russian threat actors?
Russian state-sponsored actors typically have more sophisticated tactics, techniques, and procedures (TTPs) alongside custom malware development capabilities and tighter operational security when compared to other groups.
Xueyin Peh, senior cyber threat intelligence analyst at Digital Shadows, told The Daily Swig: “Russia-linked APT groups are arguably some of the most technically advanced state-sponsored threat groups.
“They have used techniques that enable them to remain undetected for long periods of time, such as in the supply chain attack leveraging SolarWinds’ Orion Platform (which likely began as early as Spring 2020 but was only made known publicly in December 2020).
“This large-scale intrusion and the multiple techniques used to obfuscate their activity are testament to the technical prowess of these groups. In comparison, very few other state-associated APT groups – probably only those linked to the People's Republic of China – have conducted supply chain attacks of similar scale,” Peh added.
The recent SolarWinds campaign that drew so much attention to the threat of Russian cyber espionage was actually atypical for Russian actors in its use of a technology supply chain access vector, according to some threat intel experts.
Paul Prudhomme, head of threat intelligence advisory at IntSights, explained: “Russian cyber espionage groups have not historically used such attack vectors on any significant scale. Indeed, technology supply chain campaigns are more typical of their Chinese counterparts.
“This adoption of a new technique could indicate a willingness to emulate the practices of other actors.”
Vince Warrington, CEO of infosec firm Dark Intelligence, added that “Chinese state-backed attacks tend to be concerned with long-term intelligence gathering, so they tend to be slow moving, methodical, and with the aim of being able to infiltrate an organisation and extract data over the long term – think years instead of days or months.
“The Russian approach, meanwhile, has a much more short-term focus and is more concerned with gathering and exploiting data right now. Therefore, their tactics tend to be ‘noisier’ than their Chinese counterparts.
“Whereas China wishes to be the proverbial ‘ghost in the system’, the Russian state-backed groups are more likely to leave traces of their presence.”
Daniel Smith, head of security researchat Radware, commented: “Nation-state and state-sponsored threat actors in Russia tend to use cyber tactics as a geopolitical lever.
“In contrast, Chinese nation-state and state-sponsored threat actors’ objectives are aligned with data collection and global surveillance.”
‘Russian state-backed threat groups are more likely to leave traces of their presence’
How are Russian cyber-threat groups evolving?
Yana Blachman, threat intelligence specialist at Venafi, told The Daily Swig: “Russian state-sponsored APT groups make use of highly sophisticated TTPs to conduct disinformation, propaganda, espionage, and destructive cyber-attacks on a global scale.
“Unlike other groups that reuse code, use OS code or even buy tools, Russian APT groups are known to use their own tailor-made tools for their campaigns, with customised approaches for each target. They continue to develop new tools and redevelop old ones, and their TTPs prioritise operational security and defence evasion, making Russian APT activity very hard to detect.”
Russian cybercrime gangs have dominated the cyber threat landscape for many years.
“These groups have not only developed highly sophisticated toolsets, they have also developed a means of monetising their activities, and are organized like traditional criminal gangs with defined roles and processes,” according to Blachman, a former officer of ‘Unit 8200’, an elite signals intelligence unit of the Israel Defense Forces.
“They are known to favour ransomware, although many are now making use of both Ransomware-as-a-Service and Malware as-a-Service, which lowers the bar for others wishing to get involved with cybercrime.”
Russia-linked threat groups have also used false flags operations to throw those conducting investigations off the scent.
Some prominent examples included the disruption of French television network TV5Monde in 2015 and the Olympic Destroyer campaign in 2018. The latter malware targeted the opening ceremony of the Winter Olympics in Pyeongchang, South Korea.
Russia-linked APT groups have also hijacked systems used by APT groups associated with other nation-states.
In 2017, the Russia-affiliated ‘Turla’ APT group was found to have compromised server infrastructure used by the Iran-linked ‘APT34’ (aka OilRig, a presumed Iranian group).
Turla reportedly used this access to deploy their own malware on computers that were already compromised with APT34’s malware. "This instance of ‘spies hacking spies’ is rare, probably because it is likely to have consequences if discovered," said Digital Shadows’ Peh.
How are Russian threat actors organized?
The relationships between the various Russian cyber espionage groups remains unclear.
IntSights’ Prudhomme explained: “In contrast to their Chinese and Iranian counterparts, there is no clear evidence that they extensively share malware development or infrastructure resources with each other via a ‘digital quartermaster’.”
Units of the GRU military intelligence service, the SVR civilian foreign intelligence service, and the FSB domestic intelligence service conduct various cyber-espionage operations.
The US has indicted 12 alleged members of Russia's General Staff Main Intelligence Directorate (GRU) for activity associated with APT28 (aka ‘Fancy Bear’), while APT29 (aka ‘Cozy Bear’) is more likely operating under the ambit of Russia's Foreign Intelligence Service (SVR).
APT29 is the prime suspect in relation to the SolarWinds campaign
“The high level of stealth and operational security in the SolarWinds campaign is consistent with what one would expect from a civilian foreign intelligence service that places a high priority on avoiding detection and maintaining access as long as possible, in order to collect as much intelligence as possible,” according to Prudhomme.
“In contrast, APT28, which is believed to operate under GRU authority, sometimes conducts much ‘noisier’ attacks – not necessarily out of a lack of operational security, but because the disruptive nature of their goals simply makes it impossible for them to avoid detection of the attack.”
For example, Sandworm (a GRU unit like APT28) was allegedly responsible for the high-profile NotPetya ransomware attack on Ukraine in 2017, which aimed to disrupt the Ukrainian economy in support of Russian foreign policy objectives.
The attack caused huge collateral damage against multinational companies that operate in Ukraine such as shipping giant Maersk.
In an alleged attempt to influence the US presidential election, both APT28 and APT29 breached the network used by the Democratic National Committee (DNC). Stolen data was subsequently used to leak compromised information.
Digital Shadows’ Peh commented: “This is not the first instance of Russia-linked targeting of US government agencies: prior to the compromise of the DNC, APT29 also conducted spear-phishing attacks against the Pentagon email system in August 2015, among other government agencies.
“Similar activities also occurred in Europe, when APT28 is said to have targeted European political entities ahead of the 2018 EU Parliament elections.”
What countries and organizations are being targeted by Russian threat groups?
Governments and commercial defense organizations are top targets of Russian APTs because they can provide a wealth of political, diplomatic, and military intelligence.
Russian threat groups primarily target western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors, but also private sector targets in the US and Europe.
Energy organizations and other critical infrastructure are also important targets because of Russia's status as a leading energy producer and for the potential to disrupt the economies of targeted countries. Technology and telecommunications companies are also favored targets.
In geographic terms, Ukraine is a top target for Russian cyber espionage and disruptive attacks in support of Russia’s expansion of its power and influence in the country. Other prime targets include the nation’s historic geopolitical and military adversaries in the US and the European and Turkish members of the North Atlantic Treaty Organization (NATO).
Dark Intelligence’s Warrington commented: “Ukraine is, in effect, Russia’s testing ground for new cyber-attacks, and therefore we need to understand what happens there to predict what types of attack will happen to the West in the coming years.”
What cyber-attacks have been attributed to Russia?
Russian threat groups are thought to be behind some of the most high-profile attacks of recent years.
Alongside the SolarWinds campaign, which targeted 80% of the Fortune 500, Russian state-sponsored APT group Sandworm (aka ‘Unit 74455’, a GRU unit distinct from APT28) is accused of being behind the destructive NotPetya cyber-attack that affected thousands of businesses worldwide in 2017.
APT28, meanwhile, targeted the World Anti-Doping Agency (WADA) and leaked drug-testing information related to international athletes in 2016.
Despite high-profile media coverage of activities conducted by these Russia-linked APT groups, neither APT28 nor APT29 show any signs of stopping their malicious activities, as evidenced by the SolarWinds hack and other recent hacking campaigns.
For example, in July 2021 reports emerged that APT29 had compromised the computer systems of the Republican National Committee (RNC) via a third-party provider.