New Research into Russian Malware

There’s some interesting new research about Russian APT malware:

The Russian government has fostered competition among the three agencies, which operate independently from one another, and compete for funds. This, in turn, has resulted in each group developing and hoarding its tools, rather than sharing toolkits with their counterparts, a common sight among Chinese and North Korean state-sponsored hackers.

“Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks,” researchers said.

“While each actor does reuse its code in different operations and between different malware families, there is no single tool, library or framework that is shared between different actors.”

Researchers say these findings suggest that Russia’s cyber-espionage apparatus is investing a lot of effort into its operational security.

“By avoiding different organizations re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations,” researchers said.

This is no different from the US. The NSA malware released by the Shadow Brokers looked nothing like the CIA “Vault 7” malware released by WikiLeaks.

The work was done by Check Point and Intezer Labs. They have a website with an interactive map.

Posted on October 2, 2019 at 8:00 AM8 Comments


Patriot October 2, 2019 10:15 PM

Compartmentalization is a good idea in intelligence operations. But the Russians surely have a small cadre of leatherfaced, vodka-swilling fossils left over from the CCCP to oversee the whole operation.

It’s interesting that one does not hear about any of their people running off to a Western capitol as a turncoat–and certainly not with 7 terabytes of recently downloaded data under their arm–as Mr. Snowden did. Maybe it happens, but one does not hear about it.

Ross Snider October 3, 2019 12:20 AM

This is smart for intelligence agencies, CIA and FSB alike.

Each agency has its own operating concerns, fallout for exposed operations, and ways of burning and redeveloping malware – and thus different use cases and concerns. Malware development is sufficiently cheap to have duplicate efforts to develop many sets of slightly variant tools. I don’t know the exact costs for specific organizations, but just imagine how expensive burning all of your operations and operators would be if a single piece of malware uncovered by one agency could roll up your entire country’s security apparatus.

spy v spy October 3, 2019 4:13 AM

From the About at the interactive map:

The map and its data are open source in our repository and we are inviting you all to add more information and improve it.

Well, good on them. I always get a little suspicious about claims against adversary tactics/methods, but giving up both the data and tools to analyse said data builds trust.

Russian Tenders October 3, 2019 6:17 AM

That’s one of the most crucial and important aspects that needs to be taken care of. AS operational security is one of the most important country’s security apparatus.

Petre Peter October 3, 2019 6:40 AM

It’s smart that agencies don’t share code with other agencies. Each one with its own pharmacy!

Clive Robinson October 3, 2019 7:51 AM

@ Patriot,

Maybe it happens, but one does not hear about it.

That is maybe because Russia goes about things a different way and the West turns a blind eye to it for monetary reasons.

Whilst the nerve gas poisoning in Salisbury did make the news, another Russian living just a few hundred meters from me was found hanged in his house, in more than just suspicious circumstances. He like twenty or so other Russian’s that have met “mysterious early demises” in the UK have largely gone without investigation or comment.

Russia under Putin put in place legislation for Russia to carry out executions abroad without trial simply on his say so…

Have a think on what that might do to your thoughts on being a whistle blower…

SpaceLifeForm October 5, 2019 2:18 PM


Capitol, capital.

You may have not needed to correct.

Aside: Capitol is always uppercase C.
Because it is a Building, not a city.

With regard to capital, that also means money, and that is what IC should be following. You should know that, but you are compartmented, so, not your role.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.