Since 2014 Russian military intelligence has been actively practicing cyber warfare methods on the territory of NATO countries and their allies. The Main Intelligence Directorate (GRU) likely possesses the finest technological and operational capabilities among Russia’s special services.
Top-representative of the US Ministry of Justice John Demers said that no country had weaponized its cyber capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages as fits of spite.
Analysis of cyber operations of the military intelligence shows that the cyber activities are performed by two military units (the GRU units) who subordinate to the 6th directorate. These are military unit 74455 corresponding to the 4th Central Scientific Research Institute of the Ministry of Defense (22 Kirov Street, Khimki) and the military unit 26165 located in Moscow at 20 Komsomolsky Prospect (Rota Tower). During the Soviet era, it was the seat of the 85th main center of the special service engaged in decryption of intercepted SIGINT/ ELINT messages and was directly subordinate to the head of the GRU. Now this is the Russian Ministry of Defense main specialized research institute for cryptography, higher mathematics and computer technology.
The identification of these military units indirectly confirms that due to scientific capabilities these two units can model cyber break-in into objects of intelligence interest.
The military unit 26165 specializes in intelligence gathering, while 74455 is engaged in cyber operations.
The staff of both units works under the guise of several hacker groups.
According to our estimates, we are talking here about existence of the military units-based internal conditional groups manned with the Russian military intelligence staff that use different technical equipment and a programmed approach to solve tasks. Taking these specifics into account any of the two groups receives tasks according to the technical capabilities (malware, phishing etc.). In addition, these groups can work in priority directions that change depending on the political situation.
It is possible that some of the tasks can be performed by outsourced technical specialists using the technical and financial resources of military intelligence and work on the projects that are part of the Russian military intelligence C2 system.
We believe that in case of a successful break-in into an object of intelligence interest the group continues to work on it by using knowledge about the security architecture and malware-bookmarks that may remain from the previous successful penetration.
October 20, the US Ministry of Justice accused six Russian citizens, former and acting GRU operatives, of cyber attacks: Yuri Andrienko, Pavel Frolov, Anatoly Kovalev, Sergei Detisov, Petr Pliskin and Artem Ochichenko. All these persons work in the military unit 74455, the part of the GRU.
Dmitry Badin works for 26165, another GRU military unit. This unit coordinates the group involved in the Netherlands attack in 2018. The military officers of this unit are widely known as the APT28 group.
APT28 Group
It is also known as Fancy Bear, Tsar Team, Sofacy Group, Pawn Storm, Sednit, and STRONTIUM. X-Agent is a signature tool of Fancy Bear operations—a cross-platform backdoor toolset with variants for Windows, MacOS, Android, and iOS. The Windows and MacOS versions of X-Agent are capable of recording keystrokes, taking screenshots, and exfiltrating files from infected systems back to a command and control server.
APT28’s primary initiative is collecting intelligence on geopolitical and defense issues that are relevant to Russian interests. It has been targeting government, military, and security organizations in the Caucasus (Georgia, in particular); Eastern European countries; the North Atlantic Treaty Organization (NATO); and other European security organizations and defense companies. APT28, active since the mid-2000s, is experienced and advanced. It is associated with the CHOPSTICK malware, the SOURFACE downloader, and the EVILTOSS backdoor. Other software they have used includes ADVSTORESHELL, JHUHUGIT, and XTunnel, as well as Sofacy, XAgent, Foozer, WinIDS, and DownRange droppers. The group has been constantly updating the SOURFACE downloader since 2007, demonstrating the efforts it dedicates to development and innovation. APT28’s most common attack vectors are spear phishing emails, malware drop websites disguised as news sources, and zero-day exploits of the Microsoft Windows operating system and Adobe Flash. The group has been observed using six different zero-day exploits, indicative of a technical prowess that is likely backed by a government with extensive resources.
| DATE | TARGET |
|---|---|
| MAY 2014 | Ukrainian Central Election Commission (CEC) Ukrainian officials revealed that the investigation into the compromise of the CEC’s internal network identified malware traced to APT28. |
| JUNE AND SEPTEMBER 2014 | Polish Government & Power Exchange websites APT28 employed “Sedkit” in conjunction with strategic web compromises to deliver “Sofacy” malware on Polish Government websites, and the websites of Polish energy company Power Exchange. |
| OCTOBER 2014 THROUGH SEPTEMBER 2015 | Kyrgyzstan Ministry of Foreign Affairs Changes were made to domain name server (DNS) records that suggest that APT28 intercepted email traffic from the Kyrgyzstan Ministry of Foreign Affairs after maliciously modifying DNS records of the ministry’s authoritative DNS servers. |
| FEBRUARY 2015, APRIL 2015 | TV5 Monde In February, FireEye identified CORESHELL traffic beaconing from TV5Monde’s network, confirming that APT28 had compromised TV5Monde’s network. In April 2015, alleged pro-ISIS hacktivist group Cyber Caliphate defaced TV5Monde’s websites and social media profiles and forced the company’s 11 broadcast channels offline. FireEye identified overlaps between the domain registration details of Cyber Caliphate’s website and APT28 infrastructure. |
| JUNE 2015 | German Bundestag & Political Parties Germany’s Federal Office for Security in Information Technology (BSI) announced that APT28 was likely responsible for the spear phishing emails sent to members of several German political parties. The head of Germany’s domestic intelligence agency, BundesamtfürVerfassungsschutz (BfV), also attributed the June 2015 compromise of the Bundestag’s networks to APT28 |
| JULY 2015 | NATO, Afghan Ministry of Foreign Affairs, Pakistani Military APT28 used two domains (nato-news.com and bbc-news.org) to host an Adobe Flash zero-day exploit to target NATO, the Afghan Ministry of Foreign Affairs, and the Pakistani military. |
| APRIL – MAY 2016 | Germany’s Christian Democratic Union (CDU) APT28 establish a fake CDU email server and launch phishing emails against CDU members in an attempt to obtain their email credentials and access their accounts. |
| MARCH – OCTOBER 2016 | U.S. Democratic Congressional Campaign Committee (DCCC) In July, the DCCC announced that it was investigating an ongoing “cybersecurity incident” that the FBI believed was linked to the compromise of the DNC. House Speaker Nancy Pelosi later confirmed that the DCCC had suffered a network compromise. Investigators indicated that the actors may have gained access to DCCC systems as early as March. |
| APRIL – SEPTEMBER 2016 | U.S. Democratic National Committee (DNC) The DNC announced it had suffered a network compromise and that a subsequent investigation found evidence of two breaches, attributed to APT28 and APT29. FireEye analyzed the malware found on DNC networks and determined that it was consistent with our previous observations of APT28 tools. According to intelligence services, in July 2016, the Court of Arbitration for Sport in Lausanne, the US Anti-Doping Agency, the Canadian Center for Ethics in Sports (September 2016) and the International Association were targeted by the GRU officers. |
| SEPTEMBER 2016 | World Anti-Doping Agency (WADA) |
| MARCH – NOVEMBER 2016 | John Podesta Investigators found that John Podesta, Hillary Clinton’s presidential campaign chairman, was one of thousands of individuals targeted in a mass phishing scheme using shortened URLs that security researchers attributed to APT28 |
| NOVEMBER 2016 | OSCE The OSCE confirmed that it had suffered an intrusion, which a Western intelligence service attributed to APT28. |
| 2017 | Attack by APT28 was aimed at disrupting the 2017 presidential election in France through hacks that targeted local government entities, campaigns and political parties, including the party of current President Emmanuel Macron. The controversy known as the “Macron Leaks” involved the leak of over 20,000 emails linked to Macron’s campaign in the days before his victory. |
In December 2017 in Kuala Lumpur APT28 hackers tried to get access to the investigation materials of the Boeing flight MH17 crashed in Eastern Ukraine that had been shot down by the Russian Buk complex SAM missile.
88% of samples compiled between 8AM and 6PM in the timezone that includes major Russian cities such as Moscow and St.Petersburg. This is the working hours of the public structure employees in Russia.
APT28 attacks on political and critical infrastructure objects can be simultaneously carried out by two departments: military intelligence and the Federal Security Bureau (FSB). For example, the U.S. The Democratic National Committee was attacked by APT28 and the APT29 group associated with the FSB.
Apparently, both APT groups were unaware they were attacking at the same time. An analysis showed APT29 had been on the DNC’s network for more than a year, while APT28 had only been on it for a few weeks. Thus, it is likely that APT28 joined the operation by the highest level official’s order followed by the FSB group’s failure to demonstrate result in specific period of time. We exclude the attacks being coordinated by the two departments and believe that the GRU and the FSB compete in terms of cyber activities and experience interdepartmental hostility.
On our estimates the tasks performed by two groups proves their highest priority and assignment from the Administration of the President of Russia. Otherwise, the GRU would not have been joined the operation since it hurt the reputation of the FSB.
Sandworm Team
Sandworm Team is a product of military unit 75455. However, while APT28 has been using its custom-made malware and zero-day exploits, the Sandworm Team has been primarily using hacking tools that are available for purchase. It indirectly confirms the version that hacker groups are formed on the basis of technical and software break-in methods that are probably maintained by their leaders.
The Sandworm developed the infamous NotPetya ransomware which caused huge damages of billions of US dollars to companies all over the world in 2017. A malware was identified attacking a vast number of Windows-based PCs in Ukraine and Russia. A few Western corporations were affected as well. The infrastructure and attack patterns in these attacks resembled those that were conducted earlier by Sandworm.
Analyzing Sandworm Team’s activity one can suggest that the group specializes mainly in attacking infrastructure facilities, especially energy area.
Sandworm Team Russian cyber espionage group started its activity in 2009. It is also known as Voodoo Bear, Black Energy, Quedagh, TeleBots, and Electrum. They have targeted Ukrainian entities associated with the government, energy, media and telecom companies, academic institutions, industrial control systems, and supervisory control and data acquisition (SCADA). In addition, they have attacked defense industries and government institutions in the U.S., Poland, and other member states of NATO. Sandworm has shown a special interest in power grids.
The Sandworm group behind BlackEnergy shared code in one instance with another group known as Energetic Bear or Dragonfly. As estimated hackers from the military unit 26165 are behind Dragonfly. At the end of 2015, they began looking for vulnerability areas in nuclear power plants in the United States, and Westinghouse Electric working in the nuclear power industry. It confirms the hypothesis that all hacker groups are interconnected and probably differ in tasks.
Some versions of Energetic Bear’s malware had the capacity to scan industrial networks for infrastructure equipment, raising the possibility that it could have not just collected industry intelligence, but performed reconnaissance for future disruptive attacks in a case of hypothetic military conflict.
In 2014 Energetic Bear attacked oil and gas companies and San Francisco airport. Since September Energetic Bear has hacked state, local, and territorial websites and stole data from at least two servers, including the aviation industry. In at least one attack a hacking group of Russian intelligence services got passwords, IT instructions, purchase and sale data and other information. Dragonfly sent malware to US, Swiss and Turkish companies as well.
The group is probably specialized in attacking industrial facilities, especially in the energy sector. The same group is assumed to provide Blue Team for the Russian oil and gas sector.
In 2010 The Black Energy 2 malware strain, leveraged against industrial control system networks in Ukraine. Four years after, in 2014 the group used the BlackEnergy2 malware, infecting U.S. critical infrastructure sites. According to media coverage, these attacks began in 2011 and affected the energy, water, real estate, and telecommunications sectors.
In 2015 the group attacked new companies during the Ukrainian 2015 elections.
During 2015-2016 Energetic Bear known also as Dragonfly provided two cyber attacks resulting in power blackouts in Ukraine. The group has utilized BlackEnergy3 malware, which attacked the system of the Ukrainian power company Prykarpattya oblenergo.
• 2015-16: Attacks on Ukrainian governmental organizations and companies including railway firms, media outlets, and more.
Obviously, Moscow is considering options to attack foreign states by using operations similar to the one carried out by Russian hackers in Ukraine in 2016 on blackout. For example, this fact is proved by Russia’s attempts to take control of the power outage systems in US factories.
In April 2018, in The Hague the GRU officers from the military unit 26165 attempted to hack the Wi-Fi network at the Organization for the Prohibition of Chemical Weapons headquarters. After that they planned to go to Switzerland. The hackers were interested in the Spitz laboratory where chemical and nuclear weapons is studied.
A 37-year old Yevgeny Serebryakov from the military unit 26165 was among the hackers. Serebryakov arrived in the Netherlands on a diplomatic passport that clearly proves the mission carried out in the interests of Russian intelligence. In the Netherlands Serebryakov’s laptop containing much evidence was seized. Google history searches revealed that on the eve of the arrival he had been interested in the location of the Organization for the Prohibition of Chemical Weapons headquarters in The Hague and the Swiss laboratory in Spiez. Serebryakov’s movements were tracked by his laptop. He connected to Wi-Fi networks in Lausanne in September 2016 and Kuala Lumpur in December 2017. The laptop also contained a photograph of Serebryakov in the stands in Brazil, during the Olympics in Rio de Janeiro in August 2016.
Besides Serebryakov, a 41-year old Alexey Morenets is suspected of the hacker attack in the Netherlands. According to the FBI, he is a GRU officer assigned to military unit 26165. Morenets himself had a car registered at the same military unit, 26165. Morenets also arrived in the Netherlands on a diplomatic passport; his passport number differs from Serebryakov’s one by one digit.
Morenets, like Serebryakov, was directly involved in hacker attacks. Under suspicion of hacker attacks the Dutch counterintelligence agency also detained a 46-year old Alexei Minin. His leaves at 50 Narodniy Militia, the location of the military unit 22177, the Military-Diplomatic Academy hostel (known as the “Conservatory) where the GRU officers are trained. He also arrived in the Netherlands on a diplomatic passport. The registration indicates that Minin does not own home in Moscow, he is registered in the region and was trained at the military-diplomatic academy. Probably, he is on the waiting list for the department housing.
According to the Dutch intelligence, Minin was one of the GRU operatives who accompanied the hackers during the operation in The Hague. However, the FBI suspects him of hack.
The fourth member of the GRU group working in the Netherlands is a 46-year old Oleg Sotnikov. His Moscow registration address coincides with the address of the GRU headquarters, 76B Khoroshevskoe shosse. Previously he was registered in a military town of Pskov from where he might have been transferred to Moscow. Sotnikov was responsible for the logistics, however, he was not a technical specialist.
TEMP.Veles is an APT group that has been targeting critical infrastructure. The group has been utilizing TRITON, a malware framework designed to manipulate industrial safety systems. Many believe it was a Russian government owned lab that most likely custom-built the TRITON framework. We estimateit can bethe GRU-linked group taking into account their targets.
The FSB’s owned groups
The FSB, like the GRU, has its own cyber warfare units. The main ones are The 16th Center: the FSB’s main signals and cyber intelligence unit. The18thCentre. These centers also serve the interests of the Foreign Intelligence Service.
APT 29
The main FSB hack group is APT29 that has many aliases: Office Monkeys, CozyCar, The Dukes, and CozyDuke. The group is believed to work for the Russian government, and, in particular, civilian intelligence agencies including the Federal Security Service (FSB) and the Foreign Intelligence Service (SVR). APT29 has been targeting Western European governments and diplomatic organizations since at least 2010. However, the group also targets military, energy, and telecom organizations around the world. It is considered one of the most advanced and experienced APT groups. The group rapidly develops and deploys its malware in a way that resembles another well-known APT group, APT28. However, APT29’s ability to rapidly alter its tools makes it harder to detect. APT29 is associated with various malware strains, such as HAMMERTOSS, TDISCOVER, UPLOADER, CozyDuke, OnionDuke, and MiniDuke. The group’s targets have included government and commercial entities in the United States, Germany, South Korea, and beyond.
APT29’s attacks typically come in the form of spear phishing and different malware strains. The group has been known to use social media platforms and cloud storage services to relay commands and extract data.
The most famous APT29 attacks are the following:
- 2014: An infiltration attack against the U.S. Democratic National Committee (DNC), the U.S. State Department, the White House, and a private research institute in Washington D.C.
- 2015: A spear phishing cyber attack against the Pentagon’s email system
- 2016-2017: A series of spear phishing attacks against U.S. think tanks and non-governmental organizations following the 2016 U.S. General Election
- 2017: Attempts to spear phish email accounts of nine individuals in the Norwegian Ministry of Foreign Affairs, Ministry of Defense, and the Labor Party. Other Norwegian targets included the Norwegian Radiation Protection Authority, the Norwegian Police Security Service (PST), and an unidentified college.
- Both APT28 and APT29 attempted to attack the Dutch Ministry of General Affairs and other Dutch ministries.
The FSB-linked groups have been actively involved in cyber attacks to get information on the Covid-19 vaccines development. In summer 2020 Britain, the United States and Canada stated about the Russian group’s hacking attack on medical laboratories in Western countries and an attempt to steal the Covid-19 vaccine development. They blamed the hack on the Cozy Bear group, also known as APT29 and the Dukes. The US NSA believes that Russian hackers have been collecting data on vaccine development.
In October 2020 Norway’s foreign minister said Russia is behind a break-in into the Norwegian Parliament’s email system in August, calling the intrusion “a serious incident that affects our most important democratic institution.”
Various amount of data had been downloaded. The parliament later said private information such as social security numbers, bank information and other personal information plus contact data and preparatory political work “may have been lost.” We estimate that besides searching for sensitive political information, the aim was to collect personal data as a motive for further recruiting Norwegian parliamentarians.
Turla
Turla is another group working with the FSB’s men and tools. It is also known as Snake, Uroburos, Venomous Bear, and Waterbug is one of Russia’s oldest state-sponsored cyber espionage groups. It is also a Russian threat group, believed to be a subset of APT29, that has infected victims in more than 45 countries since 2004. Its victims include the government, military, education, research, and pharmaceutical sectors.
Its most intense activity took place in mid-2015. Turla is known for utilizing watering holes and spear phishing campaigns. The group uses internally developed malware and tools to carry out its attacks. It most frequently attacks Windows-based machines but has also occasionally targeted Linux and MacOS machines. Turla’s most advanced malware strains are deployed only on machines that are of the highest value and interest to the group. Its tools are considered complex and advanced. The group is unique in terms of its use of the satellite-based Command and Control (C2) mechanism. Turla’s victims include the U.S. Department of Defense, which it attacked in 2008, two European foreign offices, defense contractors, Germany’s Federal Foreign Office, Germany’s Federal College of Public Administration, and more.
Cyber Berkut
Cyber Berkut group was formed after the dissolution of the Ukrainian Berkut special police force in February 2014. The group supported the Russian separatists and aimed to expose the cooperation of the Ukrainian government with Western powers against Russia. The group has targeted various Western and Ukrainian organizations with DDOS attacks, email hacking, and PII leakages. The group was mainly active between 2014 to 2017 and hasn’t been seen active since. This group is unlikely to be the FSBregular unit. More likely it outsources in the interests of the FSB.
Several other more famous for cybercrimes groups may work under the umbrella of the FSB. The similarity of their hack targets to the Lubyanka’s objects and the time of the attack start, 2014, prove this connection.
Carbanak and FIN7
Carbanak and FIN7 are referred to as two separate threat groups that share many targets, tactics, and tools in common. Both groups target banks and financial organizations and have been observed using the “Carbanak” malware, named after the group. The Carbanak group has targeted financial institutions in Russia, Ukraine, the U.S., Germany, China, and other countries over the past several years. It was first discovered in 2014 and is rumored to have stolen nearly $1 billion to date. FIN7 is a financially motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. The group typically uses malware to attack point-of-sale systems.
Cobalt Group
Cobalt Group Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions in Eastern Europe, Central Asia, and Southeast Asia. The group was first identified in 2016 and is known for its highly sophisticated attack methods. Over the years, the group has targeted supply chain companies, investment banks, and more. Some estimates indicate Cobalt Group has stolen as much as $1.2 billion from banks across 40 countries. The alleged leader of the group was arrested in early 2018; however, the group is still active. There is some indication that there may be a connection between Cobalt Group and Carbanak Group as the tools they use overlap which makes it hard to attribute their attacks. Some malware samples had indications that there are more than one threat actor using the same tools.
Gamaredon Group
Gamaredon Group is a Russia-linked threat group that has been active since mid-2013. However, its activities went unnoticed until 2015 when Operation Armageddon, a cyber espionage campaign targeting Ukrainian government, military, and law enforcement officials, was published.
The increased activity in terms of Ukraine’s administration and infrastructure facilities during the period of frequent Russian intelligence cyber attacks confirms the hypothesis that this group is also linked to the Russian security services.
There is evidence that the malware used by the group in this campaign was built on a Russian operating system, suggesting it is based in Russia or, minimally, has a presence there. The Gamaredon group is still active and keeps targeting mostly Ukrainian targets. Recently they have been seen spreading a new Linux malware named Evil Gnome. Their TTP’s mostly stayed the same throughout their years of operation. Some researchers believe they are political activities instead of Russian government but they are not enough details to positively support that claim. There is a high likelihood that Russian intelligence services could use groups like Gamaredon, Cobalt Group and FIN7 to draw up a ‘grey’ budget of Russian intelligence agencies, both in the interests of intelligence operations and influence actions, and for enriching the leaders of these units.
