Russian APT Hackers Tools Matrix Unveiled

Researcher BushidoToken unveild a comprehensive tool matrix focused on Russian Advanced Persistent Threat (APT) groups has been unveiled.

This project, inspired by the success of the Ransomware Tool Matrix, aims to catalog and analyze the tools commonly used by Russian state-sponsored hackers.

The initiative is designed to help defenders proactively detect and block intrusions by exploiting the fact that these groups often reuse tools.

The Russian APT Tool Matrix includes a wide range of threat groups affiliated with the GRU (Main Intelligence Directorate), SVR (Foreign Intelligence Service of the Russian Federation), and FSB (Federal Security Service of the Russian Federation).

Meet the CISOs, Join the Virtual Panel to Learn compliance – Join Free

Key findings from the project highlight the diverse toolsets employed by these groups:

• GRU Affiliates: EMBER BEAR, FANCY BEAR, and Sandworm were found to rely heavily on offensive security tools (OSTs) for their intrusions. EMBER BEAR notably used the most scanners among these groups.
• SVR Affiliates: COZY BEAR, affiliated with the SVR, was identified as the group with the highest total number of different tools used. Turla and COZY BEAR were also observed using a variety of tools and platforms for exfiltration.

The analysis revealed a significant reliance on publically available OSTs across multiple Russian threat groups, with up to 27 different tools recorded. The most commonly shared tools among these groups include:

• Mimikatz: Used by COZY BEAR, FANCY BEAR, BERSERK BEAR, Gamaredon, and Turla.
• Impacket: Utilized by COZY BEAR, FANCY BEAR, EMBER BEAR, Sandworm, and BERSERK BEAR.
• PsExec: Employed by COZY BEAR, EMBER BEAR, BERSERK BEAR, Gamaredon, and Turla.
• Metasploit: Used by FANCY BEAR, EMBER BEAR, Sandworm, and Turla.
• ReGeorg: Notably used by COZY BEAR, FANCY BEAR, EMBER BEAR, and Sandworm. ReGeorg, a network tunneling utility, is particularly noteworthy for its use by multiple Russian threat groups and its rarity in ransomware gangs.

The identification of these tools can help defenders determine if a Russian state-sponsored threat group conducted an intrusion.

For instance, ReGeorg and other top tools increase the likelihood of a Russian threat group involvement.

This tool matrix is a critical resource for cybersecurity professionals, incident responders, and managed detection and response teams.

By understanding the tools and tactics used by Russian APT groups, organizations can better protect themselves against these persistent adversaries.

Key Takeaways:

• Russian APT Groups: The tool matrix includes threat groups affiliated with the GRU, SVR, and FSB.
• Common Tools: Mimikatz, Impacket, PsExec, Metasploit, and ReGeorg are commonly used by multiple Russian threat groups.
• ReGeorg: A network tunneling utility that is rare in ransomware gangs but commonly used by Russian threat groups.
• Proactive Defense: The tool matrix helps defenders detect and block intrusions by exploiting the reuse of tools by Russian APT groups.

By leveraging this tool matrix, cybersecurity professionals can enhance their defensive strategies and mitigate the threats posed by Russian APT groups.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial