Over the last half decade or so, Russia’s state-sponsored hackers have distinguished themselves as the most active, aggressive, and disruptive teams of online aggressors in the world. They’ve meddled in elections, blacked out power grids, innovated devious new forms of espionage, hacked the Olympics, and unleashed the most destructive worm in history—a list that makes even China‘s cyberspies look like tame clerical workers by comparison. Now two cybersecurity firms have created a new visual taxonomy to organize all that digital chaos—and in doing so, perhaps helped crystallize who the distinct players are within the Kremlin’s hacking forces.
Two Israeli companies, Check Point and Intezer, today released the results of a broad analysis of code that’s been previously attributed to Russian state-sponsored hacking operations. The two firms pulled 2,500 samples from the malware database VirusTotal and used Intezer’s automated tools to comb those specimens for code matches or similarities, filtering out false positives like reuse of open source components. The result is a kind of constellation chart for every known Russia state hacking group’s tool kit, showing clusters that likely represent independent groups. “The information has previously been really scattered. Now for the first time we have a one-stop shop for Russian APTs,” says Yaniv Balmas, Check Point’s head of cyber research, using the acronym for “advanced persistent threat,” an industry term for sophisticated state hackers. “You can look at this, and it’s all there.”
The map’s largest clusters of connected nodes show tightly interlinked tools used by familiar Russian hacker groups—from the hackers known as Sandworm (aka Telebots or BlackEnergy), which first rose to notoriety with blackout attacks on the Ukrainian power grid, to the Turla spying team that impressed researchers with tricks like bouncing its command-and-control connections through unwitting satellites. (In some cases, it’s worth nothing, different code samples are attributed to a group on the map based on reporting that’s not related to code overlaps, such as shared infrastructure—though those links are captured in the map’s key, not in its connected dots.)
The map also illustrates a few unexpected—or at least obscure—code connections between Russian hacking teams. It shows, for instance, that the Sandworm group behind BlackEnergy shared code in one instance with another group known as Energetic Bear or Dragonfly, named by Symantec in 2017 as the group responsible for penetrations of US power grid networks—though Check Point and Intezer admit that the matching code, first spotted by McAfee, may have come from a public source rather than actual collaboration. A tool called X-Agent, used by the Fancy Bear hackers best known for attacking the Democratic National Committee and the Clinton campaign, shared some code with another spy group known as Potao, known for espionage operations against Ukraine and other former Soviet-bloc neighbors. More notable, the map shows that both BlackEnergy and the malware of a group known as Cozy Bear or APT29 used code that came from a credential-stealing tool called LdPinch. That may come as a surprise, given that BlackEnergy has been pinned on the Russian military intelligence agency known as the GRU whereas Cozy Bear has been linked to the Russian foreign intelligence service, the SVR. Those two agencies have been known to act independently and even as rivals—such as when they were both discovered carrying out separate intrusions into the DNC’s network in 2016.