Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Russian State Hackers Rarely Share Code With One Another (zdnet.com) 31

Russia's state-sponsored hacking groups rarely share code with one another, and when they do, it's usually within groups managed by the same intelligence service, a new joint report published today reveals. From a report: This report, co-authored by Check Point and Intezer Labs, is a first of its kind in its field. The two companies looked at nearly 2,000 malware samples that were previously linked to Russia state-sponsored hacking groups, in order to get an idea of how these malware samples related to each other. Their investigation found 22,000 connections and 3.85 million pieces of code that were shared among the malware strains. The conclusion of this vast research effort was the revelation that Russian APTs (advanced persistent threat, a term used to describe government-backed hacking groups) don't usually share code with one another. Furthermore, in the rare instances they do, code reuse usually occurs inside the same intelligence service, showing that Russia's three main agencies that are in charge of foreign cyber-espionage operations don't collaborate for their campaigns.
This discussion has been archived. No new comments can be posted.

Russian State Hackers Rarely Share Code With One Another

Comments Filter:
  • State hacking groups don't share code with each other? How inefficient!

    Maybe that's just what they want us to think.

    But, then look at the dick measuring contests between different US agencies local, state and federal.
    • Comment removed based on user account deletion
    • Probably keeps them all sharp and makes it more likely for them to discover new or different vectors because they can't just rely on someone else's code that they probably won't bother to fully understand for themselves if they're like most developers. Maybe it's less efficient, but I'm willing to be that it makes them more effective in the long run.
      • Probably keeps them all sharp and makes it more likely for them to discover new or different vectors because they can't just rely on someone else's code that they probably won't bother to fully understand for themselves if they're like most developers. Maybe it's less efficient, but I'm willing to be that it makes them more effective in the long run.

        This is more along the same lines as I was thinking.

        However, I think there are also counterintelligence reasons. If the code streams are blended, then it could become much harder to figure out if there's a spy in the soup. You want to keep everything compartmentalized so that if something seems to have been compromised, you can figure out where to look.

        (Maybe I've read too many history books about squabbles between the various intelligence agencies? But there was that deep mole in the FBI...)

    • The Russian government has fostered competition among the three agencies, which operate independently from one another, and compete for funds.
      This, in turn, has resulted in each group developing and hoarding its tools, rather than sharing toolkits with their counterparts, a common sight among Chinese and North Korean state-sponsored hackers.

      "Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks," researchers said.
      "While each actor does reuse its code in different operations and between different malware families, there is no single tool, library or framework that is shared between different actors."

      Researchers say these findings suggest that Russia's cyber-espionage apparatus is investing a lot of effort into its operational security.
      "By avoiding different organizations re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations," researchers said.

      Good for when you are on the offensive and only attacks you expect are counterattacks reacting to your attacks.
      Not so good and rather counterproductive for actual national security or for keeping track of known threats.
      See: Every crime movie where cops and the FBI keep tripping over each other and argue over jurisdiction while the criminals get away with their dastardly plan.

      • In Russia, that would be the good guys getting away...
    • Attribution is hard. It's not easy to prove that these groups are related to the Russian government, or even that they operate from Russia.
  • by Comboman ( 895500 ) on Tuesday September 24, 2019 @12:45PM (#59231364)
    Sharing is about trust, so I wouldn't expect to see much of it among shadowy government agencies (you never know when you might be tasked to hack a fellow agency). In fact, I bet there's very little sharing even between individual black-hat hackers within these groups.
    • someone please mod this up! When you are in an intel agency, the first thing to do is to not trust anyone. So, sharing Implies trusting.
    • by TWX ( 665546 )

      They're also most likely in competition with each other for funding/resources. If Team-A and Team-B share resources too much, and Team-A proves successful then Team-B might find its funding cut, even if Team-B's developments are what allowed Team-A to succeed.

      Think about your own workplace. Coworkers are arguably in-competition with each other, and sometimes departments have to make termination or promotion choices based partly on employee performance. As such one has to gauge how much to share with cowo

  • by grep -v '.*' * ( 780312 ) on Tuesday September 24, 2019 @12:50PM (#59231374)
    That's because the code is easy to write but the DOCUMENTATION is hard.

    (... as opposed to: The whisky is agreeable, but the meat has gone bad.)
  • Seems like sharing your stuff is a good way to lose your zero-day before your campaign starts.
  • Wait! Wait! Wait! (Score:3, Insightful)

    by Anonymous Coward on Tuesday September 24, 2019 @01:27PM (#59231488)
    So they look at a bunch of malware THAT THEY PRESUME COMES FROM RUSSIA - Found no commonality - and then concluded that the 3 Russian security agencies must not share code?
    More enlightened minds might question the hypothesis that this malware came from those Russian agencies and might be independently run by individual hacking/piracy groups (possibly still from within Russia)
    • by skids ( 119237 )

      In fact, the whole thing is a hoax. See, Russia doesn't actually exist. It's all a fake news construct manufactured just to bring down Trump. Don't believe ANYTHING you see, hear, smell, touch, or taste!

  • by QuietLagoon ( 813062 ) on Tuesday September 24, 2019 @01:36PM (#59231518)
    If they all used the same code it would be a lot easier to trace to the ultimate source. Using multiple source bases reduces the mono-code vulnerability, and also makes it tougher to defend against. It wouldn't surprise me if they weren't sharing code intentionally.
    • If they all used the same code it would be a lot easier to trace to the ultimate source.

      No, that's backwards. If they all used the same code you only know what country it's coming from. We know that already.

      Using multiple source bases reduces the mono-code vulnerability, and also makes it tougher to defend against.

      That part is true.

      It wouldn't surprise me if they weren't sharing code intentionally.

      Well, they're not accidentally not sharing code.

  • by Anonymous Coward on Tuesday September 24, 2019 @02:00PM (#59231582)
    Even within our team, we don't share a lot. Partially it comes down to personal familiarity with our own tools. When you do this kind of work, you need to be intimately familiar with any potential IOCs as you can easily get burned. That brings me to point two, if you share, and the guy you shared it with does something stupid and gets the technique or tool burned, you are both screwed, and their mistake could cost you many active campaigns. This is probably not accidental inefficiency, it is "by design". To the extent that we share regularly, we tend to share only high-level techniques, thus ensuring different executions.
  • The same that wrote and write all those nice cracks for you that make shared software run.

    The state part is just the white line the US ownership needs to snort right now.

    Not that the Russian leaders would not employ in it, like the USA, Israel, the UK, China, etc.
    But they are not that dumb and plump to leave such rookie traces.

  • by wyattstorch516 ( 2624273 ) on Tuesday September 24, 2019 @03:53PM (#59231864)
    I could never get a Russian to be able to translate "script kiddie".
  • report, co-authored by Check Point and Intezer Labsref [zdnet.com]
  • by Archtech ( 159117 ) on Wednesday September 25, 2019 @04:16AM (#59233130)

    "Russia's state-sponsored hacking groups rarely share code with one another, and when they do, it's usually within groups managed by the same intelligence service, a new joint report published today reveals".

    Joint reports are usually evidence-free concoctions of drug-addled fantasy, often paid for by the wealthy and powerful backed by the Deep State, a comment by Archtech published today reveals.

    My "editor" self notes with admiration the elegant way in which the article's first sentence leads with the unproved and unprovable allegation - which thus becomes the whole headline - before admitting, on the second line where some readers will not even notice is, that the source is "a new joint report".

    A new joint report by whom? one asks. Check Point and Intezer, it turns out. Check Point is a corporation that makes a great deal of money from the US government, and thus is doubly motivated to smear Russia. Intezer presumably provided the software used to reach the conclusion that Russians were responsible.

    "The two companies looked at nearly 2,000 malware samples that were previously linked to Russia state-sponsored hacking groups, in order to get an idea of how these malware samples related to each other".

    And those malware samples were "previously linked to Russia" BY WHOM? And WHY? And with what evidence?

    An unbiased person, seeing that the malware samples turn out not to be related to each other, would reasonably infer that they were not written or used by the same people.

No spitting on the Bus! Thank you, The Mgt.

Working...