The Red Square - Mapping the connections inside Russia`s APT Ecosystem

Itay Cohen/Checkpoint, Ari Eitan/Intezer

If the names Turla, Sofacy, and APT29 strike fear into your heart, you are not alone. These are known to be some of the most advanced, sophisticated and notorious APT groups out there -- and not in vain. These Russian-attributed actors are part of a bigger picture in which Russia is one of the strongest powers in the cyberwarfare today. Their advanced tools, unique approaches, and solid infrastructures suggest enormous and complicated operations that involve different military and government entities inside Russia.

That said, and with all the available information on these groups, there are still some questions to bear in mind: Are the different government entities working alone or are they sharing code and techniques with each other? What artifacts, libraries and code are more likely to be shared between different families and teams of the same actor?

The fog behind these complicated operations made us realize that while we know a lot about single actors, we are short of seeing the bigger picture - a whole ecosystem with actor interaction (or lack thereof) and particular TTPs that can be viewed in a larger scope. We decided to know more and to look at things from a broader perspective. This led us to gather, classify and analyze thousands of Russian APT malware samples in order to find connections - not only between samples, but also between different families and actors.

In this talk, we will describe the process of our research. Namely, we will show how the technologies at our disposal allowed us to take a deep dive into these malware's binary DNA in order to spot the mutual Genes that are shared between Russia's APT families and actors. We will show interesting connections that we found, and present the interactive map we created to visualize this complicated Russian APT ecosystem. We will also present a signature-based tool to detect old and new samples based on the popular mutual Genes we found.

November 8 at 09:10 - 09:30, Stage A

Itay Cohen (aka Megabeets) is a Security Researcher and a Reverse Engineer in the Malware and Vulnerability Research group at Check Point Research. Itay has years of extensive background in malware reverse engineering and many other security related topics. He is the author of, a security blog focused on making advanced security topics accessible for free.
Itay is a core developer of the open-source reverse engineering framework radare2 and the maintainer of Cutter, radare2`s official GUI. On his free time, he loves to participate in CTF competitions and to contribute to open-source projects.

Ari Eitan is the VP Research of Intezer Labs, a security researcher and Incident Response professional. Ari served as the head of IDF Incident Response team and has vast experience in dealing with Nation-sponsored cyber attacks, specializing in Malware Analysis, Reverse Engineering and Forensics. He has spoken at a variety of security conferences and trainings, including the first BsidesTLV, Kaspersky SAS, and for government organizations and international agencies.