The December 2016 “Grizzly Steppe” joint analysis report issued by the FBI and DHS provided a table of monikers attributable to various Russian cybercriminal organizations serving the state’s intelligence services. However, understanding what these names refer to is a challenge in and of itself. As noted by Florian Roth in a 2018 Medium article, similarities in names do not necessarily indicate a shared meaning, but are more likely attributable to a cybersecurity firm’s naming scheme. Names may also be derived from the malware or operations the group is associated with. Given the secretive and dynamic nature of illicit groups, cybersecurity firms may disagree about what terms can be treated as describing a single entity. Cyber criminal organizations may share malware. They may merge into larger groups and seceded from them. Coining their own terminology therefore enables cybersecurity firms to avoid being bound to other firms’ determinations regarding a threat group–and avoids acknowledging business rivals as definitive authorities on the subject.
In his article, Roth links to a Google spreadsheet attempting to identify the range of monikers applying to specific cybercriminal organization. This spreadsheet includes a tab for Russian actors, as well as a tab explaining cybersecurity firms naming schemes. Crosslisting names from the FBI/DHS report with names from the “Russia” tab of this spreadsheet, as well as a 2018 listicle composed by Kelly Sheridan for Dark Reading, and adversary details added to the Open Threat Exchange by the Malware Information Sharing Platform (MISP) should provide a fairly reliable guide to understanding which names apply to the same actors. As Roth noted, this process “is often imprecise and sometimes flawed.” Still, “a partly incorrect mapping is better than having no mapping at all.”
I have connected the vast majority of the names from the FBI/DHS report, and a few additional names attributable to specific naming schemes, to five Russian cybercriminal organizations. Where possible, I have also included information on the cybercriminals’ methods, targets, and connections to the Russian state.
GROUP #1
The eponymous “Grizzly Steppe” Russian proxy group may be alternatively named “Advanced Persistent Threat (APT) 28” or “Group 74”, in accordance with FireEye/Mandate’s and Cisco Talos’s generic naming schemes, respectively. It may also be referred to as “Fancy Bear” or “Iron Twilight”, in accordance with Crowdstrike’s and DELL SecureWorks’s naming schemes for Russian cyber threats. Names derived from the group’s malware may include “Chopstick”, “Coreshell”, “Sedkit”, “Sednit”, “Sofacy”, “Sourface”, “X-Tunnel” and “X-Agent”. The name “Pawn Storm” appears to refer to an operation conducted by this groups. “Oldbait” and “Tsar Team” are additional names featured in the FBI/DHS report which appear to refer to this group.
Writing for AVG Technologies, a subsidiary of Prague based Avast, Joseph Regan included this group on his list of the world most dangerous hackers, noting that it “is strongly associated with the Russian government and seems to support its cyberwarfare activities”, despite the Russian governments claims that no such affiliation exists. In fact, Regan notes that this Russian cyber criminal organization appears to have emerged on the scene to help pave the way for the 2008 invasion of Georgia. The MISP project suggests that the group was already operating in 2007, but likewise suggests that the group is connected to Russian state actors. Sheridan sheds more light on the connections between this cybercriminal organization and the Russian state, describing the criminals as most likely constituting “an arm of the Russian military intelligence agency GRU.” This group not only lends one of its names to the FBI/DHS report, but was identified by both Regan and Sheridan as the most dangerous Russian cyber criminal threat.
According to Sheridan, this groups primary method, like most such cyber groups, is spearphishing. However, the group employs a division of labor, with a plethora of subgroups each charged with different types and stages of cyberattacks. Subgroups may be charged with tasks ranging from phishing to proliferating disinformation over social media. As Regan noted, tying this group to specific operations is difficult, because they prefer not to take the credit, and have been known to impersonate other groups unaffiliated with Russia.
While this group has targeted the U.S. government, it primarily targets European governments. These cybercriminals have been implicated in election tampering not only in the United States, but in Germany, France, and Ukraine. Its cyberattacks seem to be incurred by specific policies, especially those pertaining to NATO, thereby making the United States a target at times, as well as various embassies around the world. As of last year, the group also appeared to be broadening its target set to include more corporate entities.
GROUP #2
A second key Russian proxy group may be known alternatively as “Advanced Persistent Threat (APT) 29” or “Group 100”, in accordance with FireEye/Mandate’s and Cisco Talos’s generic naming schemes. It may also be referred to as “Cozy Bear” or “Iron Hemlock”, in accordance with Crowdstrike’s and DELL SecureWorks’s naming scheme for Russian cyber threats. The group is also referred to as “the Dukes”, a reference to Kaspersky’s naming scheme for its malware. The group may be identified by its use of characteristic malware tools including “CakeDuke”, “CloudDuke”, “CosmicDuke”, “CozyDuke”, “GeminiDuke”, “HammerDuke”, “MiniDuke”, “OnionDuke”, “PinchDuke”, and “SeaDuke”. Names derived from the group’s malware may also include “CozyCar”, “Hammer Toss”, “MiniDionis”, and “SeaDaddy”. Minidionis may represent malware shared with another group, however.
An article in Dutch magazine de Volkskrant detailed a long running operation by the Netherland’s General Intelligence and Security Service, which managed to place the “Cozy Bear” group’s base of operations within a university owned building in Red Square itself. Dutch state-employed hackers also managed to capture images of the people working in the building after taking control of a security camera. As a result, the Dutch hackers were able to conclude that the Russian group is under the leadership of the Russian state’s “external intelligence agency”, the SVR.
As is typical, this group has utilized spearphishing, particularly against its targets within the United States. The group also takes extensive measures to prevent its communications from being found out by its targets. The group employs secure sockets layer (SSL) encryption, establishing secure links between web servers and browsers. On the rare occasions when the group must communicate over a victim’s network, said communications are disguised. Legitimate services like Twitter and Github have been used by this group to issue electronic commands and retrieve data from the systems they infiltrate. Command and control communication over “compromised servers” is further secured by the group’s own backdoors.
These cybercriminals primarily targets governmental policymaking actors in Western Europe, but may also target influential non-governmental organizations, such as think tanks, and may target government actors as far afield as Central Asia, East Africa, The Middle East, and the United States. Notably, the aforementioned Dutch hackers were able to provide advance notice of an attack on the U.S. State Department, and implicate the group in the DNC hack after the fact.
GROUP #3
A third key Russian proxy group is known alternatively as “Waterbug”, or “Group 88” in accordance with Symantec’s and Cisco Talos’s generic naming schemes. It may also be known as “Venomous Bear” or “Iron Hunter”, in accordance with Crowdstrike’s and DELL SecureWorks’s respective naming schemes for Russian cyber threats. Names derived from the group’s malware may include “Agent.btz”, “MiniDionis”, “Skipper”, and “Turla”. “Minidionis” malware appears to also be utilized by the SVR led organization referenced above, so it is a name ill suited to distinguishing these groups. By contrast, “Turla” is the most commonly used name. Indeed, I previously referred to “Turla” as a proxy of the Russian government in my report on the potential kinetic implications of cyber-conflict with Russia.
This “Turla” group—as well as the three which are to follow–cannot be connected to the Russian state with either the certainty or the specificity of the previous organization. However, their targets demonstrate political motivations, and they appear to be Russian speakers.
According to Sheridan, this organization’s command and control infrastructure includes websites they have infiltrated and compromised, as well as “satellite connections”. These cybercriminals appear to primarily collect intelligence, surveil targets, and steal data. Their methods include spearphishing campaigns aimed at tricking those with access to confidential information into installing malware. The group has also been known to utilize watering hole attacks. This indirect approach to cyberattack may also help explain why even the true targets of this group’s attacks are sometimes uncertain. The uncertainty surrounding this group is also due to its heavy use of encryption, which has prevented its victims from knowing what information the group managed to obtained. The group’s tactics, however, have remained largely consistent over time.
This group’s attacks are largely focused on Russia’s near abroad, particularly embassies located in Russia’s own capitals, post Soviet States, and sometimes diplomats in the larger region of Eastern Europe. Embassies in Armenia, Kazakhstan, Poland, and Ukraine have all suffered attacks. However, this cybercriminal organization has also menaced the Central Command and State Department of the United States, foreign policy focused government ministries in Western Europe, and embassies as far afield as Belgium, China, Germany, Greece, and Jordan. Moreover, it has targeted corporations involved in the defense industry.
GROUP #4
Another key Russian proxy group is known as “Sandworm”. It may also be known as “Voodoo Bear” or “Iron Viking”, in accordance with Crowdstrike’s and DELL SecureWorks’s respective naming schemes for Russian cyber threats. It is also frequently identified by its infamous Black Energy malware tools, leading to monikers including “BlackEnergy 2 APT”, and “BlackEnergy V3”. According to Joseph Cox’s 2016 article for Vice, Finnish cybersecurity firm F-Secure also assigned the group the moniker “Quedagh”, a reference to the exploits of a privateer, on account of the group having coopted the BlackEnergy malware, previously used for purely criminal profit, to attack political targets.
This group conducts a mixture of espionage and sabotage, erasing data and launching denial of service attacks. As noted by Recorded Future’s Insikt Group, the group appears to have supported the Georgian war by using its “BlackEnergy” botnets to launch just such a distributed denial of service (DDoS) campaign. The group also uses spearphishing campaigns to exploits human vulnerabilities and gain access to targets. A relatively recent addition to the groups tactics involves indirectly sabotaging targets by disrupting supply chains. Indirect tactics—utilized by this group and “Turla” alike—threaten a greater range of actors than direct offensives.
This group appears to primarily target energy infrastructure, particularly—though not exclusively—Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems in Ukraine. The group has also planned attacks against American utility systems, and—should it broaden its target set—could pose a threat to companies worldwide.
GROUP #5
Though not included in Sheridan’s list, checking names from the FBI/DHS report against adversary details from the Open Threat Exchange and the spreadsheet suggests that there is at least one more major Russian cyber group with ties to the Russian state. This proxy may be alternatively named “Dragonfly” or “Group 24”, in accordance with Symantec’s and Cisco Talos’s generic naming schemes, and itt may be referred to as “Energetic Bear” or “Iron Liberty”, in accordance with Crowdstrike’s and DELL SecureWorks’s naming scheme for Russian cyber threats. The group is also named after its “Havex” and “Crouching Yeti” malware.
This group is primarily engaged in industrial espionage. Its methods include using spearphishing and strategic web compromise (SWC) attacks, in order to compromise industrial control systems. It specializes in targeting the energy industry, but it may also target the education, construction, information technology, and pharmaceutical sectors as well. It seems to target strategically important technology industries in western Europe and those industries exploiting strategic energy resources in the Middle East.