##### RQUT DMO **�69** Shares **Product** **ervice** **[Cutomer](https://www.recordedfuture.com/customers/)** **[Partner](https://www.recordedfuture.com/partners/)** **[log](https://www.recordedfuture.com/blog/)** **Compan** **[Login](https://www.recordedfuture.com/live/)** The Recorded Future log Poted  ### RFID Augut 4, 20�6 in [Cer Threat](https://www.recordedfuture.com/category/analysis/cyber/) Intelligence # Running for O�ice: Ruian APT Toolkit Revealed �44 �0 ## Anali ummar Ruian APT regularl target Microoft product with 55% of exploited vulnerailitie targeting verion of O�ce, Window, and Internet xplorer product. Targeting widel adopted oftware provide the path of leat reitance for a tate-ponored actor. Microoft O�ce vulnerailit targeting i in line with heav ue of pear phihing  Ruian actor including APT28 Deco(lure) attachmentare #### ARCH ## Recent Pot ##### Now Availale: All-ource Anali Capailit  Glenn Wong on Augut 8, 20�6 ##### Running for O�ice: Ruian APT Toolkit ----- 20�6 ##### Get Fired up Aout Threat Intelligence With Recorded Future at lack Hat 2016  Amanda McKeon on Jul 28, 20�6 ##### Whiteoard Workflow erie: Infratructure Vulnerailit Management  Filip Reealu on Jul 27, 20�6 ##### 6 urpriing enefit of Threat Intelligence From the We  Pete Hugh on Jul 26, 20�6 **�69** Shares APT28, aociated  man with Ruian militar intelligence (GRU), ha 22 known exploited vulnerailitie in it toolkit. even of thee vulnerailitie have no availale pulic exploit. APT29, aociated  man with the Ruian Federal ecurit ervice (F), utilize �ve known exploited vulnerailitie with no vulnerailit overlap with APT28. 73% of vulnerailitie targeted  Ruian APT have availale pulic exploit poted to variou corner of the we including Metaploit, xploit Dataae, and GitHu. 46% of known Ruian APT exploited vulnerailitie are alo found in exploit kit ued  cer criminal. �44 �0 Recorded Future anali of Ruian hacking collective ha highlighted 33 known exploited product vulnerailitie ued  variou group to teal information or compromie victim computer. 27 of thee are tied to APT28 and APT29, collective known  man name and poil aociated with Ruian militar intelligence (GRU) and the Federal ecurit ervice (F) repectivel. Recent attack and alleged uequent leak of tolen information from the Democratic National Committee (DNC) have highlighted the unprecedented impact of Ruian threat actor in the 20�6 United tate Preidential election. In June [20�6, Crowdtrike identi�ed APT28 and APT29’](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) preence in the DNC’ computer tem. APT28 gained acce in April 20�6, while APT29 gained accein ummer 20�5. ----- **�69** Shares ponored group nergetic ear and Turla, regularl exploit multiple product in the Microoft famil (O�ce, Internet xplorer, and Window). Thi i likel due to their maive uer ae and — in the cae of O�ce — aociation with email attachment aed attack. 55% of known leveraged vulnerailitie elong to the Microoft famil. Interetingl, onl 46% of the known exploited vulnerailitie were een in cer criminal-focued exploit kit. 73% of the known exploited vulnerailitie had pulic exploit availale on forum, log, pate ite, and code repoitorie uch a xploit Dataae, Metaploit, and GitHu. Thi ugget ome element of unique capailit. For intance, APT28 utilize even exploited vulnerailitie for which there are no availale pulic exploit. However, in the cae of nergetic ear, pulic exploit make up it entire toolkit [according to Kaperk reearch and the elow](https://usa.kaspersky.com/internet-security-center/threats/crouching-yeti-energetic-bear-malware-threat#.V57CLZMrJo4) tale. ## Methodolog Thi anali focued on advanced peritent threat [(APT) and malware familie tied to likel Ruian](https://www.recordedfuture.com/russian-malware-analysis/) tate ponor. Recorded Future analzed we ource including log, forum, pate ite, code/malware repoitorie, ocial media, and poted PDF of �nihed report and preentation. Thi approach i akin to a meta-anali. No original anali of malware ample wa conducted. The goal of thianaliwato highlight �44 �0 ----- **�69** Shares threat actor. Attack attriution and identifing threat actor plan and intention are the hardet prolem in intelligence anali. Recorded Future make no peci�c claim to recent and high-pro�le attack againt United tate preidential candidate or campaign. ## cope Uing Recorded Future, we analzed information pulihed to the we linking Ruian APT to exploited vulnerailitie from Januar �, 20�2 to Jul 3�, 20�6. uequent anali wa conducted, appling the lit of 33 known exploited vulnerailitie againt Recorded Future holding of availale exploit and exploit kit frequented  cer criminal and generall availale for ale on deep and dark we (onion) forum. [A noted in previou Recorded Future APT reearch,](https://www.recordedfuture.com/russian-malware-analysis/) anali i complicated  the wide variet of randing and codeword applied to di�erent facet of the prolem. ome are grouped  ignature, �44 �0 ----- **�69** Shares thi anali which focued on the following four Ruian-linked APT/malware familie: [APT28 AKA Fanc ear, Operation Pawn torm,](http://motherboard.vice.com/read/all-signs-point-to-russia-being-behind-the-dnc-hack) trontium, ednit, ofac, Tar Team. Poil [aociated with the Ruian militar’ Main](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) Intelligence Department or GRU (Главное Разведывательное Управление). [APT29 AKA Coz ear, The Duke, O�ce](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) [Monke. Poil aociated with Ruia’](http://www.nytimes.com/2016/07/27/us/politics/spy-agency-consensus-grows-that-russia-hacked-dnc.html) primar intelligence ervice the Federal ecurit ervice or F (Федеральная служба безопасности Российской Федерации), the ucceor to the KG. nergetic ear AKA Crouching Yeti, Dragon�, Group 24, Koala Team. Aociated with Havex malware. Turla AKA pic Turla, nake, Ourooro, Caron. Poil aociated to Agent.TZ campaign. [While not covered in thi report, APT28, APT29,](https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf) [nergetic ear, and Turla all target information](https://www.recordedfuture.com/russian-malware-analysis/) conitent with Ruian intelligence goal of collection on trategic adverarie, neighor, energ target, etc. Link to excellent reearch from Firee, TrendMicro, Kaperk, Microoft, Crowdtrike, etc. are provided a appropriate. ## Reult The following product were regularl targeted  the four Ruian group: �44 �0 ----- **�69** Shares Organized  compan: ## Ue of the Identified Vulnerailitie Ruian APT emplo tactic imilar to other cer [threat actor including targeted pear-phihing,](http://www.kaspersky.com/internet-security-center/threats/epic-turla-snake-malware-attacks) [poofed domain upporting credential phihing,](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) ocial engineering, and watering-hole attack. �44 �0 ----- **�69** Shares exploit ma e in line with the more targeted nature of tate-ponored attack. Criminal campaign uch a ranomware pla a numer game, while tate-ponored attack focu on peci�c organization and information. [Previou Recorded Future anali highlighted heav](https://www.recordedfuture.com/top-vulnerabilities-2015/) ue of Adoe Flah Plaer exploit in criminal exploit kit. Comparativel, �ve of the 33 identi�ed vulnerailitie impacted Flah Plaer. ight of the 33 impacted O�ce/Acroat (generall email attachment exploit). ## iloed Approache Recorded Future anali of exploited vulnerailitie ued  APT28 and APT29 revealed no known overlapping ue of vulnerailitie. Thi lend credence to the theor put forth  multiple expert that the two group — poil aociated with GRU [and F — don’t coordinate or hare reource and](http://www.ecfr.eu/publications/summary/putins_hydra_inside_russias_intelligence_services) infratructure. Interetingl, according to Crowdtrike, the two group unwittingl tole the ame et of DNC credential. Product targeted, grouped  APT: �44 �0 ----- **�69** Shares ## Overlap With xploit Kit 46% of known Ruian APT exploited vulnerailitie are alo found in exploit kit ued  cer criminal. xploit kit are availale for purchae or rent on deep and dark we (onion) forum for cer criminal eeking to deplo paload including ranomware. Targeted vendor, grouped  APT (colored  vulnerailit preent in exploit kit): Man exploit (73%) are pulicl availale for thee identi�ed vulnerailitie, although the date of the pulication of thee exploit (veru the date of the attack) i hard to determine. Regardle, the ue of common or pulic exploit erve a variet of purpoe: Popular product (Window, O�ce, Internet xplorer) are more likel to have well-known (and ometime pulicl availale) exploit. Targeting popular product upport a “pla the odd” approach to ucceful exploitation of intalled oftware on a target computer. Popular product exploit help cloud e�ort at attriution. �44 �0 ----- **�69** Shares availailit of exploit): ## Impact [With �.5 illion people uing Window ever da, and](https://news.microsoft.com/bythenumbers/ms_numbers.pdf) �.2 illion people with O�ce product intalled on their machine, the “pla the odd” approach egin to explain the popularit of Microoft product with Ruian APT. [Popular Java (ued  89% of U.. computer) and](https://www.java.com/en/about/) [Adoe (50 illion PDF opened in Adoe in 20�5)](https://wwwimages2.adobe.com/content/dam/acom/en/fast-facts/pdfs/fast-facts.pdf) exploit follow thi pattern. Much like with cer criminal, the path of leat reitance to a ucceful redirection or implant i often the et for a tate ponored actor targeting trategic information. ## Recommended Action We recommend ou: Patch all vulnerailitie identi�ed in thi pot. Conduct enterprie we and email ecurit awarene training. Utilize two-factor authentication and VPN where appropriate. �44 �0 ----- we rower. Conider alternative PDF viewer. Monitor the we for poted email addree (even thoe without paired paword). ###### COMPANY [Aout](https://www.recordedfuture.com/about/) [Jo�69](https://www.recordedfuture.com/jobs/) Shares [vent](https://www.recordedfuture.com/events/) ###### FOR CUTOMR [Login](https://www.recordedfuture.com/live/login/) [upport Center](http://support.recordedfuture.com/) [oftware tatu](http://status.recordedfuture.com/) [Developer Code](https://github.com/recordedfuture) [Pre�44](https://www.recordedfuture.com/press/) [vent](https://www.recordedfuture.com/events/) [Contact](https://www.recordedfuture.com/contact/) �0 Copright © 20�6 Recorded Future, Inc. [Privac Polic](https://www.recordedfuture.com/privacy-policy/) [Term of Ue](https://www.recordedfuture.com/terms-of-use/) [API Term of Ue](https://www.recordedfuture.com/api-terms-of-use/) [Contact](https://www.recordedfuture.com/contact/) -----