Russian Intelligence Service - Overview
Summary
The Russian Intelligence Service is made up of various departments, of which the main three are, Chief Intelligence Office/Military Intelligence (GRU), Federal Security Service (FSB), and the Foreign Intelligence Service (SVR). With the war in Ukraine still operational, it is likely that Russia will continue to carry out cyber campaigns within Ukraine and outside of its borders.
However, there are also links between these agencies and Russian cyber criminals. Additionally, the Russian government has a history of protecting Russian cybercriminals and their affiliated groups.
In this Threat Horizon, ITC-TI team shall be producing an overview of the Russian Intelligence Services and their cyber capabilities.
Key takeaways
- Russia’s intelligence services agencies are actively engaged in aggression throughout the world. Their campaigns are mainly to support the Kremlin’s geopolitical agenda.
- Russia’s intelligence services conduct campaigns to undermine western governments.
- Russia’s intelligence services overlap and work together to carry out cyber espionage and campaigns across a vast majority of sectors. Russian APT groups are highly sophisticated and have the capabilities to deploy zero-day attacks.
Mitigations
- Password Policies.
- Audit – perform audits and scan systems regularly.
- Enforce MFA.
- Filter Network traffic.
- Enforce a strong password policy.
- Monitor Remote Desktop connection – RDP.
- Enforce regular scanning of networks.
- Continual patching of systems.
- Make sure AV/Malware defences are up to date.
- Inbound and outbound traffic monitoring.
- User education.
- Segment and segregate networks and functions.
- Limit unnecessary lateral communications between networks and devices.
- Disable unnecessary services on agency workstations and servers.
- Maintain situational awareness of the latest threats and implement appropriate access control lists.
- SOC monitoring 24×7.
Within our 24×7 operations centre, ITC is carrying out threat hunting across all of our customers to establish if there has been any malicious activity matching the IOCs and TTPs in relation to the contents of this threat horizon.
For our Sentinel customers, we continue to build and refine analytical rules to detect specific tactics used by threat actors and, as new IOCs become available, to look for historical signs of compromise. These IOCs are then fed into a long-term watchlist that is matched regularly against customer environments to detect future signs of compromise.
Cyber Operations and the Russian Intelligence Services
Over the last decade Russia has become one of the world’s leading and most prolific cyber threat actors. Their cyber activity falls mainly under three Russian Intelligence services:
- Chief Intelligence Office/Military Intelligence (GRU).
- Federal Security Service (FSB).
- Foreign Intelligence Service (SVR).
Unit 29155
This unit has a global reach and has been involved in assassination attempts and undermining and destabilising governments through propaganda.
Unit 29155 have also been liked to hacking the world anti-doping agency and the attempted hack of the Organisation for the Prohibition of Chemical Weapons (OPCW).
Unit 54777
Unit 5477 is involved in online disinformation and information operations. It is the GRU’s main psychological warfare department and also Russia’s main propaganda unit. Unit 54777 has several front organisations that are financed through government grants as public diplomacy organisations but are covertly run by the GRU and aimed at Russian expatriates.
Two of the main fronts are InfoRos “world through the eyes of Russia” which is a Russian press and media website aimed at countering Anti-Russian information campaigns from Western media. The second is the Institute of the Russian Diaspora “is the only Russian scientific institution providing a comprehensive study of socio-political and economic processes in the post-Soviet space and the problems of Russian compatriots” which is also Russia’s “Legal aid” and protection of rights for Compatriots living abroad.
Unit 26165 aka Fancy Bear, APT28, STRONTIUM
Fancy Bear is a highly sophisticated Russian cyber espionage group. Their main MO is employing both phishing and credential harvesting. Fancy Bear operates across the globe and targets many industries and sectors including, government, military, and critical infrastructures.
As with Unit 29155, Fancy Bear has reportedly been linked to compromising the Hillary Clinton presidential campaign, World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, and the Organisation for the Prohibition of Chemical Weapons (OPCW)
Tactic | Technique | Procedure |
|---|---|---|
Reconnaissance | T1598: Phishing for Information | APT28 may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. |
Initial Access | T1190: Exploit Public Facing Applications | APT28 may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior |
T1133: External Remote Services | APT28 may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations | |
T1091: Replication Through Removable Media | APT28 may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. | |
T1199: Trusted Relationships | APT28 may breach or otherwise leverage organisations who have access to intended victims. Access through trusted third-party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. | |
T1078: Valid Accounts | APT28 may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. | |
Execution | T1203: Exploitation for Client Execution | APT28 may exploit software vulnerabilities in client applications to execute code. |
Persistence | T1133: External remote services | APT28 may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. |
T1078: Valid Accounts | APT28 may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. | |
Privilege Escalation | T1068: Exploitation for Privilege Escalation | APT28 may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. |
T1078: Valid Accounts | APT28 may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. | |
Defensive Evasion | T1140: Deobfuscate/Decode Files or Information | APT28 may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. |
T1211: Exploitation for Defense Evasion | APT28 may exploit a system or application vulnerability to bypass security features. | |
T1036: Masquerading | APT 28 may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. | |
T1014: Rootkit | APT28 may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. | |
T1221: Template Injection | APT28 may create or modify references in Office document templates to conceal malicious code or force authentication attempts. | |
T1078: Valid Accounts | APT28 may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. | |
Credential Access | T1110: Brute Force | APT28 may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. |
T1040: Network Sniffing | APT28 may sniff network traffic to capture information about an environment, including authentication material passed over the network. | |
T1003: OS Credential Dumping | APT28 may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information. | |
T1528: Steal Application Token | APT28 can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access. | |
Discovery | T1083: File and Directory Discovery | APT28 may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
T1040: Network Sniffing | APT28 sniff network traffic to capture information about an environment, including authentication material passed over the network. | |
T1120: Pripheral Device Discovery | APT28 may attempt to gather information about attached peripheral devices and components connected to a computer system. | |
T1057: Process Discovery | APT28 may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. | |
Lateral Movement | T1210: Exploitation of Remore Services | APT28 may exploit remote services to gain unauthorised access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. |
T1091: Replication through removeable media | APT28 may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. | |
Collection | T1560: Achieve Collected Data | APT28 may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimise the amount of data sent over the network. |
T1119: Automated Collection | APT28 may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. | |
T1213: Data from information Repositories | APT28 may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. | |
T1005: Data from local systems | APT28 may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. | |
T1039: Data from network shared drive | APT28 may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. | |
T1025: Data from removable media | APT28 may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. | |
T1113: Screen Capture | APT28 may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture. | |
Command and Control | T1092: Communication through removable media | APT28 can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. |
T1105: Ingress tool transfer | APT28 may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. | |
Exfiltration | T1030: Data Transfer Size Limits | APT28 may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts. |
T1567: Exfiltration over web services | APT28 may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. |
Unit 74455 aka the Sandworm Team (Group), Voodoo Bear
The Sandworm Team (Group) are known to have carried out some of the biggest cyber attacks for Russia. These include malware attacks using KillDisk and Industroyer, each of which caused blackouts in Ukraine in 2015 and 2016 against Ukrainian electrical companies and government organisations. They are also linked to the NoPetya attacks. Sandworm also work closely with Fancy Bear. They are also linked to the Organisation for the Prohibition of Chemical Weapons (OPCW) attack.
Main Sandworm Team MITRE ATT&CK Techniques
Tactic | Technique | Procedure |
|---|---|---|
Initial Access | T1566: Phishing | Sandworm Team primarily used spear phishing emails to gain access to computers or account credentials |
Execution | T1059: Command and Scripting Interpreter | Sandworm Team use PowerShell commands and scripts to discover system information, execute code, and download malware |
T1204: User Execution | Emails packed with Malicious documents. | |
Persistence | T1078: Valid Accounts | Sandworm will obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. |
Privilege Escalation | T1078: Valid Accounts | Sandworm Team will use valid account for privilege escalation and movement across networks. |
Defense Evasion | T1070: Indicator Removal on Host | Sandworm Team attempt to obfuscate their activity by deleting data from compromised machines and servers and clearing event log. |
T1036: Masquerading | Sandworm Team may masquerade as another threat actor. | |
Credential Access | T1003: OS Credential Dumping | Sandworm Team have been known to dump credentials to obtain account login and credential details from compromised machines. |
T1552: Unsecured Credentials | Sandworm Team will cover their track as they move from one machine to another. | |
Discovery | T1083: File and Directory Discovery | Sandworm Team may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviours, including whether or not the adversary fully infects the target and/or attempts specific actions. |
Lateral Movement | T1210: Exploitation of Remote Services | Sandworm Team may exploit remote services to gain unauthorised access to internal systems and use credential harvesting tools. |
Collection | T1083: File and Directory Discovery | Once within a system the Sandworm Team will start to identify, collect, package, and view targeted data, including usernames, IP addresses, and server data relating to RDP sessions on the target computers. |
Command and Control | T1001: Data Obfuscation | Sandworm Team may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. |
Exfiltration | T1078: Valid Accounts | Sandworm Team will use valid account for privilege escalation and movement across networks. |
Impact | T1491: Defacement | Sandworm Team have been known to deface/then deface websites. |
T1490: Inhibit System Recovery | The Sandworm Team will sue malware to delete files, destroy hardware, and lockdown machines so they are usable. |
- ITC-TI Recommendations
- Password Policies.
- Audit – perform audits and scan systems regularly.
- Enforce MFA.
- Filter Network traffic.
- Enforce a strong password policy.
- SOC monitoring 24×7.
Federal Security Service (FSB)
The Federal Security Service (FSB) is Russia’s primary domestic security agency responsible for internal security, counterintelligence, and protecting cyber operations both domestic and international. The FSB have the capability to build their own malware tools and use their sophisticated and highly trained abilities to conceal their activities, usually mimicking other APT groups. Their main targets are critical infrastructure and the energy sector.
It has been suggested that the FSB also hires hackers outside of the FSB to carry out its work (“Intrusion: A Brief History of Russian Hackers”, Daniil Turovsky). The FSB has a long list of cyber operations through the globe including energy sectors, government, aviation, national and critical infrastructure, and the targeting of Russian dissidents. The FSB two main cyber unit are Centre 16 also known as ‘Energetic Bear’, ‘Berserk Bear’ and ‘Crouching Yeti and Turla APT.
Centre 16 aka Energetic Bear’, ‘Berserk Bear’ and ‘Crouching Yeti
Centre 16 FSB Centre 16 has been observed conducting cyber operations since at least 2010. Centre 16 mainly compromise their targets using compromised software package and gain unauthorised access to networks through spear phishing. They also target critics of the Kremlin.
Turla APT aka Snake, Uroburos, and Venomous Bear
Turla APT is known for conducting watering hole and spear phishing campaigns, it is believed the group was also responsible for the 2008 attack on the US Central Command. Turla APT has the capabilities of using Zero-day exploits and are highly technically sophisticated.
- Password Policies.
- Audit – perform audits and scan systems regularly.
- Enforce MFA.
- Filter Network traffic.
- Enforce a strong password policy.
- SOC monitoring 24×7.
Foreign Intelligence Service (SVR)
The SVR main tasks are human and strategic intelligence activities focusing mainly on civilian affairs. The group uses a variety of tools and techniques to predominantly target overseas governments, diplomatic, think-tank, healthcare, energy targets, telecommunications, and critical infrastructure, including the SolarWinds and SUNBURST malware supply chain attacks.
Their cyber activities have a global reach for intelligence gain. The SVR are well tuned and are technological and highly sophisticated within their operations. Their most recent targeting has been towards COVID-19 vaccination centres and carrying out operations within Ukraine. One of the main threat actors linked to the SVR is Cozy Bear.
Cozy Bear aka APT29, The Dukes, NOBELIUM, UNC2452
Cozy Bear is threat group that has been attributed to Russia’s Foreign Intelligence Service (SVR). Their main MO falls into two camps. One is similar to the Chinses cyber philosophy of Smash and Grab approach of collecting and exfiltration of as much data as possible. The second is long term intelligence gathering.
Tactic | Technique | Procedure |
|---|---|---|
Initial Access | T1190: Exploit public facing applications | Cozy Bear may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behaviour. |
T1199: Trusted Relationship | Cozy Bear may breach or otherwise leverage organisations who have access to intended victims. Access through trusted third-party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. | |
Execution | T1059: Command Line Interface | Cozy Bear may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. |
Defense Evasion | T1078: Valid Accounts | Cozy Bear may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defence Evasion. |
Collection | T1114: Email Collection | Cozy Bear may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. |
Persistence | T1505: Server Software Component | Cozy Bear may abuse legitimate extensible development features of servers to establish persistent access to systems. |
Initial Access | T1195: Supply Chain Compromise | Cozy Bear manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. |
SVR Cyber Operations Tactics, Techniques, and Procedures (TTPs)
Tactics | Techniques | Procedures |
|---|---|---|
Reconnaissance | T1595.002: Active Scanning | SVR frequently scans for publicly available exploits, most recently including Microsoft Exchange servers vulnerable to CVE-2021-26855. |
Initial Access | T1190: Exploit Public Facing Application | SVR frequently uses publicly available exploits to conduct widespread exploitation of vulnerable systems, including against Citrix, Pulse Secure, FortiGate, Zimbra, and VMWare. |
T1195.002: Supply Chain Compromise: Compromise Software Supply Chain | Cozy Bear manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. | |
T1199: Trusted Relationship | SVR leveraged access gained from the SolarWinds campaign to compromise a certificate issued by Mimecast, which it then used to authenticate a subset of Mimecast’s products with customer systems. | |
Execution | T1059.005: Command and Scripting Interpreter: Visual Basic | SVR deployed Sibot, a simple custom downloader written in VBS, after compromising victims via SolarWinds. |
Persistence | T1505.003: Server Software Component: Web Shell | SVR typically deploy a web shell on Microsoft Exchange servers following successful compromise. |
T1078: Valid Accounts | SVR actors have maintained persistence on high value targets using stolen credentials. |
Source: https://www.ncsc.gov.uk/
Tactic | Technique | Procedure |
|---|---|---|
Credential Access | T1110.003: Brute Force: Password Spraying | SVR may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. ‘Password01’), or a small list of commonly used passwords that may match the complexity policy of the domain. |
Recommendations
- MFA for all users from both on premises and remote locations.
- Monitor Remote Desktop connection – RDP.
- Enforce a strong password policy and periodic password changes.
- Security team to monitor an organisations infrastructure 24/7.
Conclusion
The Russian intelligence service and Russian cyber criminals will continue to target Western organisations across many sectors. There will be more collusion between the Russian state and Russian cyber criminals. Russian cyber threats are highly sophisticated and well organised. As a baseline, organisations should have a good security posture as outlined in this report.
Contact ITC Secure for further assistance.
Sources
- Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | CISA
MITRE ATT&CK® - https://www.ncsc.gov.uk/
- https://www.ncsc.gov.uk/ – Russia’s FSB malign activity: factsheet
- https://ecfr.eu/ – PUTIN’S HYDRA: INSIDE RUSSIA’S INTELLIGENCE SERVICES
- StratCom | NATO Strategic Communications Centre of Excellence Riga, Latvia (stratcomcoe.org)
Appendix
Judgments of Likelihood
The chart below approximates how judgments of likelihood correlate with percentages.
RIS Cyber Organogram
https://www.gov.uk/ – Russia’s FSB malign activity: factsheet
