ML Systems Integrator Pte Ltd

+65 6990 9055

    Russia APT Map of 22,000 Connections with 2,000 Malware Samples

    Russia APT Map of 22,000 Connections with 2,000 Malware Samples

    For the past few years, a large number of hacking groups in Russia have been known to be one of the most experienced players in cyberspace, coming up with very specialised hacking skills as well as devices for cyber espionage.


    Over the past 3 decades, Russian hacking groups like Fancy Bear, Turla Cozy Bear, Sandworm Team and Berserk Bear were the cause of many high profile hacking incidents – the US presidential elections, causing a blackout in Ukrainian capital Kiev and etc.


    Apart from progressively expanding its cyberwar competences, the ecosystem of Russian APT (Advanced Persistent Threat) groups has also developed into a very complicated structure, making it more difficult to know who is who in Russian cyber espionage.

    To make it simple to understand the Russian hackers and how they work, researches from Intezer and Check Point Research came together to release a web-based interactive map that gives a full overview of this ecosystem.


    Dubbed “Russian APT Map,” the map can be used by anyone to learn information about the connections between different Russian APT malware samples, malware families, and threat actors—all just clicking on nodes in the map.

    “By clicking on nodes in the graph, a side panel will reveal, containing information about the malware family the node belongs to, as well as links to analysis reports on Intezer’s platform and external links to related articles and publications.”





    At its core, the Russian APT Map is the result of comprehensive research where researchers gathered, classified and analyzed more than 2,000 malware samples attributed to Russian hacking groups, and mapped nearly 22,000 connections between them based on 3.85 million pieces of code they shared.


    Russian APT Map also reveals that though no hacking groups were discovered to be using each other’s code and they used their own different tools and frameworks when using their code. By avoiding re-using the same tools in a wide range of target, the risk of a domino effect whereby one vulnerable operation will expose the others. Another hypothesis is that different organizations do not share code due to internal politics.


    To make it more efficient and up-to-date in the future, researchers have also open-sourced the map and the data behind it.