Research reveals Russian threat actors don’t share code with one another

• Russian APT groups do not share code or framework with different threat actors.
• Russian threat actors share code only within the groups managed by the same threat actor or organization.

What’s the matter?

A research conducted by Check Point and Intezer reveals that Russian APT groups usually do not share code with one another, and when they do, it's only within the groups managed by the same threat actor or organization.

A brief overview

Researchers analyzed approximately 2000 malware samples that were linked to Russian APT groups and found 22,000 connections between the samples and 3.85 million pieces of code that were shared among the samples.

To derive at a conclusion, the researchers gathered and classified the malware samples, analyzed the code similarities between the samples, and then identified the connections between them. During this research, the researchers were also able to verify previously reported connections between different malware families and code similarities between them.

The researchers also released a signature-based tool to scan a host or a file against the most commonly re-used pieces of code leveraged by the Russian APTs.

Key Findings

• Russian APT groups do not share code or framework with different threat actors.
• Russian threat actors reuse their code in their different campaigns and between different malware families.
• Every Russian threat actor group has its own dedicated malware development teams and invest a lot of effort into its operational security.

Researchers noted that by avoiding different threat actor groups sharing their tools and using the same malware against a wide range of targets, they overcome the risk that one compromised operation will expose the other group’s operations.

Code connections between different APTs

Researchers determined code connections between different tools used from the same actors, however, they were not able to find code similarities between samples of different actors.

• The source code of BlackEnergy and PinchDuke has been originated from an old credential stealer malware called Pinch.
• Potao and X-Agent share slightly similar PE Loader implementation.
• Researchers observed similar code connections between TeleBots’ Exaramel backdoor and Industroyer’s main backdoor component.

“Interestingly, our analysis and observations demonstrate that when it comes to cross-actor connections, in the vast majority of times, different actors do not share code. None of the connections we analyzed indicated that some pieces of code are shared between two or more organizations,” researchers concluded.