All code connections between Russian hackers, viewed

In the last five years or so, Russian state sponsored hackers have distinguished themselves as the most active, aggressive and disruptive online attackers in the world. They mingled with the elections, obscured the power grids, broke new diverted spies, hacked into the Olympics and launched the most destructive worm in history – a list that makes so that even Chinese cyberspies look like unscrupulous workers. Two cybersecurity companies have now created a new visual taxonomy to organize all this digital chaos. In doing so, we may have helped to clarify the identity of the various actors within the Kremlin's piracy forces.

Check Point and Intezer, two Israeli companies, today published the results of extensive code analysis that had already been attributed to piracy operations sponsored by the Russian state. The two companies extracted 2,500 samples from the VirusTotal malware database and used Intezer's automated tools to analyze these samples for code matches or similarities, filtering out false positives such as reuse. open source components. The result is a kind of constellation diagram for the toolkit of each Russian Russian state piracy group, showing the clusters that probably represent independent groups. "The information was previously widely dispersed, now for the first time we have a one-stop shop for Russian APTs," said Yaniv Balmas, head of cyber-research at Check Point, using the news. acronym for "advanced persistent threat". for sophisticated hackers. "You can watch that, and everything is there."

The largest groups of connected nodes on the map show closely related tools used by well-known groups of Russian hackers – hackers known as Sandworm (aka Telebots or BlackEnergy), who first gained notoriety with blackout attacks on the Ukrainian power network, through the Turla espionage team. this impressed the researchers with tips such as the rebound of its command and control connections through unintended satellites. (In some cases, this is worthless, different code samples are assigned to a group on the map based on reports unrelated to code overlaps, such as a shared infrastructure – although these links are captured in the key of the card, not in its connected points.)

The map also illustrates some unexpected – or at least obscure – code connections between Russian hacking teams. This shows, for example, that the Sandworm group, originally from BlackEnergy, shared the code, for example, with another group called Energetic Bear or Dragonfly, named by Symantec in 2017 as a group responsible for the penetration of US distribution networks, although Check Point and Intezer acknowledge that the corresponding code, discovered for the first time by McAfee, may be sourced from a public source rather than a real collaboration. A tool called X-Agent, used by the Fancy Bear hackers, better known for attacking the Democratic National Committee and the Clinton campaign, shared the code with another spy group known as Potao, known for its spying operations against Ukraine and other former neighbors of the Soviet bloc. . More noticeable, the map shows that BlackEnergy and the malware program of a group called Cozy Bear or APT29 used code from a tool stealing identity information called LdPinch. This may seem surprising, given that BlackEnergy was pinned to the Russian military intelligence service known as the GRU, while Cozy Bear was associated with the Russian foreign intelligence service, SVR. Both agencies are known to operate independently and even as rivals, for example when they were discovered making separate intrusions into the DNC network in 2016.