Full Report
Introduction Based on feedback I have received from fellow CTI researchers, incident responders, and managed detection and response teams around my Ransomware Tool Matrix project, I decided to make another Tool Matrix focused on one hostile state in particular: Russia. Again, as defenders, we should exploit the fact the tools used by these Russian APT groups are often reused and through proactive defensive work, we can frustrate and even eliminate the ability of certain adversaries to launch intrusions. Using the Russian APT Tool Matrix comes with its own challenges. While it is undoubtedly useful to have a list of tools commonly used by Russian APTs to hunt, detect, and block, there are some risks, as noted in the repository. The new repository also contains multiple types of Russian threat groups, this includes adversaries part of the GRU, SVR, and FSB. The alias of each Russian threat group has been chosen by what the author of this repo believes it is most well-known as. Russian GRU: Main Intelligence Directorate (Russian Military)Russian SVR: Foreign Intelligence Service of the Russian FederationRussian FSB: Federal Security Service of the Russian FederationAlso, if you’re short on time, you can now listen to this blog as a podcast via YouTube, which I generated using Google’s NotebookLM. Key Findings Following the collection, extraction, and labelling of all the tools identified as being used by Russian threat groups, some interesting findings were uncovered. These are as follows: The adversary that used the most scanners was EMBER BEAR, which is affiliated with the GRU. Other GRU threat groups, such as FANCY BEAR and Sandworm, were found often relying on a wide variety offensive security tools (OSTs) to support their intrusions. Another interesting finding was that Russian threat groups using lots of different tools and platforms for exfiltration was Turla and COZY BEAR. Overall, the Russian threat group with the highest total number different tools used was COZY BEAR, which is affiliated with the SVR. From extracting all the various tools from several years’ worth of threat reports, some general observations about how Russian threat groups used public-available resources to support their campaigns. The thing that stood out most was a large reliance on OSTs across multiple Russian threat groups. Up to 27 different OSTs were recorded. The tools mutually used by the highest number of Russian threat groups are as follows: Mimikatz is used by COZY BEAR, FANCY BEAR, BERSERK BEAR, Gamaredon, and Turla.Impacket is used by COZY BEAR, FANCY BEAR, EMBER BEAR, Sandworm, and BERSERK BEAR.PsExec is used by COZY BEAR, EMBER BEAR, BERSERK BEAR, Gamaredon, and Turla.Metasploit is used by FANCY BEAR, EMBER BEAR, Sandworm, and Turla.ReGeorg is used by COZY BEAR, FANCY BEAR, EMBER BEAR, and Sandworm. If a combination of the above tools are observed during an intrusion, then that intrusion could have been conducted by a Russian state-sponsored threat group. However, using the Ransomware Tool Matrix, we know that four out of the top five tools used by Russian threat groups are also very commonly used by ransomware groups. The network tunnelling utility ReGeorg is potentially notable for its use by multiple Russian threat groups. ReGeorg is not a well-known tool and it is often used in conjunction with a web shell to turn a compromised server into a proxy. From my collection and extraction of tools from threat reports related to the Ransomware Tool Matrix, I can confirm ReGeorg is used by virtually none of the large ransomware gangs. Therefore, if this specific tool is found during an intrusion, alongside the other top five tools mentioned above, there is arguably an increased chance it was conducted by a Russian threat group. Russian APT Tool Matrix Project You can find The Russian APT Tool Matrix in my GitHub repository below:
Analysis Summary
# Threat Actor: Russian State-Sponsored APT Groups
## Attribution & Identity
The analysis covers multiple threat groups associated with Russian intelligence services:
* **GRU:** Main Intelligence Directorate (e.g., EMBER BEAR, FANCY BEAR, Sandworm)
* **SVR:** Foreign Intelligence Service of the Russian Federation (e.g., COZY BEAR, Turla)
* **FSB:** Federal Security Service of the Russian Federation (Actors associated with this service are also included in the matrix).
The report focuses on creating a **Russian APT Tool Matrix** based on known tool usage across these groups.
## Activity Summary
The article does not detail specific recent campaigns but focuses on summarizing the collective tool usage across known Russian APT operations. Key findings highlight tool prevalence:
* **EMBER BEAR** (GRU) used the most scanners.
* **GRU groups (FANCY BEAR, Sandworm)** often rely on a wide array of Offensive Security Tools (OSTs).
* **Turla and COZY BEAR** were noted for using many different tools and platforms for exfiltration.
* **COZY BEAR (SVR)** was identified as the Russian threat group using the highest total number of different tools overall.
## Tactics, Techniques & Procedures
The primary focus is on reused public tools, especially Offensive Security Tools (OSTs) and specific utilities.
* **General TTP Observation:** Large reliance on OSTs; up to 27 different OSTs were recorded across these groups.
* **Commonly Shared Tools (Indicating Russian APT Activity):**
* **Mimikatz** (Used by: COZY BEAR, FANCY BEAR, BERSERK BEAR, Gamaredon, Turla)
* **Impacket** (Used by: COZY BEAR, FANCY BEAR, EMBER BEAR, Sandworm, BERSERK BEAR)
* **PsExec** (Used by: COZY BEAR, EMBER BEAR, BERSERK BEAR, Gamaredon, Turla)
* **Metasploit** (Used by: FANCY BEAR, EMBER BEAR, Sandworm, Turla)
* **ReGeorg** (Used by: COZY BEAR, FANCY BEAR, EMBER BEAR, Sandworm)
* **TTP Specificity:** The use of **ReGeorg** (a network tunneling utility often used with a web shell to turn a compromised server into a proxy) is deemed potentially notable when found alongside the top five tools, as it is not commonly used by large ransomware gangs.
## Targeting
* Sectors: Not explicitly detailed in this excerpt. The context suggests targeting supportive of state interests, given the attribution (GRU, SVR, FSB).
* Geography: Not explicitly detailed in this excerpt.
* Victims: Specific organizations were not named in this summary of the tool matrix compilation.
## Tools & Infrastructure
The summary focuses on commonly used publicly available tools, suggesting adversaries often leverage accessible resources.
* **Malware families used:** Not explicitly listed as proprietary malware, but specific utility usage is noted.
* **Infrastructure (C2, domains, IPs - defang URLs):** No specific C2 infrastructure mentioned in this high-level summary.
* **Key Utilities/Software:** Mimikatz, Impacket, PsExec, Metasploit, ReGeorg.
## Implications
The reuse of common tools (especially OSTs) by multiple Russian state-sponsored groups (GRU, SVR, FSB) highlights a broad-based, pragmatic approach to intrusion support. The overlap between the top five tools used by Russian APTs and those used by ransomware groups suggests potential shared knowledge or infrastructure between government-aligned and criminal elements within the Russian threat landscape. The distinctive use of **ReGeorg** could serve as a critical differentiator in attribution analysis against suspected Russian activity versus purely financially motivated groups.
## Mitigations
* **Proactive Defensive Work:** Defenders should focus on hunting, detecting, and blocking the shared, commonly used tools listed (e.g., Mimikatz, Impacket, PsExec, Metasploit).
* **Indicator of Russian APT:** If indicators from the top five commonly shared tools are observed alongside the network tunneling utility **ReGeorg**, defenders should consider the intrusion as having an increased probability of being conducted by a Russian state-sponsored threat group.