apt map of russia

Posted by deaguero at 2020-03-31

Russia has launched a series of network monitoring and attack activities in the past 30 years. From the earliest moonlight maze attack in 1996, to the attack on the Pentagon of the US Department of defense in 2008, to the intervention in the US presidential election in 2016, as well as the famous notpetya blackmail software, these are masterpieces of the Russian apt organization.

However, these attacks and malware families are exposed by different security vendors and intelligence structures, such as the FBI and the Estonian foreign intelligence agency. But there is not a single map that brings all the Russian apt organizations together.

Figure 1: report on apt issued by the Estonian Foreign Intelligence Agency

The researchers collected, classified and analyzed the original malware used by thousands of Russian apt organizations, and found out the relationship between some malware families and malware.

The researchers analyzed about 2000 malware samples and found about 22000 connections and 3.85 million shared code segments between them. The researchers eventually divided the samples into 60 malware families and 200 different modules.

Code similarity

After collecting and classifying samples of Russian apt organization, researchers began to cluster analysis based on the malicious code shared between different samples. Through the technology of malware gene analysis of intezer, binary files can be automatically divided into thousands of small code segments. Then, for each gene (code segment), analyze whether it has appeared in other software or malware. Through intezer's malware gene library, samples can be automatically extracted and unrelated binary parts, such as library code, can be ignored.

Visual connection

By analyzing the similarity of sample code, the researchers visualized these samples.


Sha256, Label, Actor

Links found

sha256_sampleA, sha256_sampleB, # of shared genes

The researchers used dots to represent the samples and edges to represent the relationship between the two samples. Researchers first use Python's Networkx library to generate. Gexf files, and then use the gephi visualizer to process them.

By loading the generated. Gexf file into gephi, the researchers saw a complex, mesh connection. As shown in the figure below, the researchers then tried to use some layout algorithms to make the relationship between malware clearer.

Figure 2: initialization diagram created by gephi

The researchers used the force directed layout algorithm (fruchterman reingord) to optimize the display.

Figure 3: connection diagram after application of layout algorithm

Figure 4: color the connection diagram

The relationship between malware

Connection analysis

The researchers found that some of these malware are related to specific functions, some are related to the whole module. The code similarity of different apt organization samples is very low, it is difficult to show that apt organizations share code or modules.

BlackEnergy Password Stealer <—> PinchDuke

Both malware steal outlook and "the bat!" credentials. Pinchduke is based on the pinch (ldpinch) credential thief, which was mainly active in Russian underground forums 10 years ago. As a result, the researchers believe that the code shared by blackenergy and pinchduke comes from the source code of pinch. In addition to functions, some strings are the same, as follows:

Pinch Duke [0ce3bfa972ced61884ae7c1d77c7d4c45e17c7d767e669610cf2ef72b636b464]

Black Energy [3cf46c68dccb989fbda3f853cc19025d39d38d9ea5786f4ae6a926677d6c5f62]

BlackEnergy <—> Energetic Bear

McAfee's previous research shows that the same self deletion function exists in the black energy sample in 2015 and the new energy bear (Dragonfly) sample in 2017. Although self deleting functions are also common in malware, binary level 1:1 matching is rarely seen. Therefore, the researchers determined that the function was not shared among these apt organizations, but originated from a public source.

Black Energy  [11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80]

Energetic Bear [fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9]

Potao Main Module <—> X-Agent

Potao's main module and X-agent sample share similar PE loader implementation. Due to the low proportion of shared code, researchers cannot determine whether it comes from the same shared code base or has a common implementation of PE loader function.

Industroyer <—> Exaramel

Previous research on ESET shows that the code connecting the backdoor of exaramel has many similarities with the main backdoor module of industriyer, indicating that exaramel is a new version of the backdoor.

Apt map of Russia

Russian apt map is a web-based interactive map, which shows the relationship between different Russian apt organizations and their malware families.

Figure 5: apt map of Russia

Please refer to for the interactive organization map of apt in Russia/

Figure 6: you can see the relevant information when you move the mouse to the edge


According to the above analysis, most apt organizations do not share code. Research shows that no code communicates between two or more apt organizations. The reasons may be:

·Russia has the strongest network monitoring ability, and has realized the disadvantages of code sharing early. Differences avoid code and tool reuse to prevent traceability and correlation analysis.

·Another possibility is the domestic politics of Russia. The researchers do not understand the domestic politics of Russia and the relationship between Russian intelligence agencies. But different intelligence agencies may have little communication between apt organizations and tools, which leads to the above results.

Note: This article is from