On 16 July 2020, the United Kingdom’s National Cyber Security Centre (NCSC), with support and contributions from the Canadian Communications Security Establishment (CSE) and the United State’s National Security Agency (NSA), released a report tying recent intrusions in vaccine research organizations (as well as other industries) to Russian-linked adversary APT29. Also known as Cozy Bear, the group is associated with activities ranging from political to economic espionage over the past several years.
Notably, while other public, Western government attribution of Russian-linked espionage activities has been specific in terms of what agencies are involved (such as in past US Department of Justice indictments or the recent NSA report on Sandworm activity), this report stops short of such direct attribution. Instead, APT29 is identified as “almost certainly part of the Russian intelligence services” (RIS), a similar vague association to Russia first publicly glimpsed in JAR-16-20296A. However other entities – most notably the Estonian government – have quite forcefully called out APT29 as linked to Russia’s non-military intelligence agencies – either the SVR or the FSB. The hesitancy by UK, US, and Canadian sources to go “one step further” than just saying “RIS” therefore seems odd in light of other recent FVEY-related adversary reveals.
Yet there is something to be understood about the reporting agencies, their sources, and direction especially in comparison to other major attribution items. Most importantly, other detailed items, such as US DOJ indictments, have focused on legalistic means – potentially with a deterrent focus – that have had a significant domestic audience intention (e.g., election interference) in addition to foreign expression. Such cases require extensive documentation in order to meet legal thresholds of proof. The agencies responsible for this APT29-linked reporting do not face these barriers, and have no requirement to meet them other than our desire as consumers to know more. This is reflected in the NSA’s earlier Sandworm statement, where proof of attribution in that case essentially resembled, “We’re the NSA. We know what we’re talking about.”
Notably, in the NSA-Sandworm instance, there was little pushback on the agency’s claim (despite lots of discussion on the fact the agency said anything public at all). Yet in the case of the NCSC/CSE report – which was supported in both technical details and attribution by the NSA, as stated clearly in the report’s introduction – significant dissent emerged from small but very vocal corners of the security industry shortly after public disclosure. One reason likely fueling this was existing research on one of the referenced malware variants – “WellMess” – which was unable to tie the activity to any known threat, with no technical explanation by the entities involved as to how or why they are making the connection to APT29 now.
At this stage, we need to make a detour to a discussion of the “attribution question”. I’ve previously noted the distinction between “who” and “how” focused attribution efforts. Generally speaking, private researchers and companies can do a great job on “how” activity, while “who”-specific (what exact entity was responsible for the action) is primarily the realm of entities with access to direct sources of intelligence about adversaries – such as signals or human intelligence agencies.
From a behavior-focused, “how”-based attribution perspective, nothing noted by NCSC and its partners aligns well with past, known APT29 activity. The only known, recent APT29-linked activity, based on use of a backdoor similar to MiniDuke malware, is the Operation Ghost report released by ESET in 2019. From all available items going back to 2016, we see initial access through phishing, transitioning to either variants of the Duke malware families or use of custom PowerShell scripts or other scripting frameworks for follow-on espionage activity. While there are variations here that may indicate group evolution or possibly group differentiation based on distinct behaviors linked only through occasional shared tool use, overall this clusters into activity that can be reasonably linked together.
The new reporting shows something different from most known behaviors associated with APT29. First, reporting emphasizes the use of various external-facing network device or service vulnerabilities as an initial access vector, followed by the use of three types of malware, two written in Golang (not previously associated to APT29) and another associated with a different group entirely (DarkHotel). Viewed only in light of available technical observations and behavioral analysis, nothing would strongly suggest or adequately support a relationship to APT29.
This is where the work of most (if not all) private security companies and individual researchers stops, as additional data just doesn’t exist. But government intelligence agencies can go further. In addition to technical details observed in intrusion operations, they possess the means to swim further “upstream” to the adversaries themselves through multiple signals and human intelligence capabilities. By marrying these non-public, classified sources with technical analysis of observed intrusions, an entirely new field of possible (and supportable) conclusions emerges. At this stage, understanding of the activity can transcend technical observations to include discovery of who is responsible for the behavior, enabling links and connections that would be impossible when limited only to available, observed behaviors.
Based on the above, I would anticipate frustration as two types of attribution – “who” and “how” – are conflated in making the APT29 assessment from NCSC et al. While NCSC et al are performing “who”-focused attribution that almost certainly incorporates non-public, sensitive sources, most if not all the strong dissenting opinion is seeking firm “how”-centric analysis to support the conclusion. Given the nature of how NCSC et al are basing their conclusions (sensitive or classified intelligence sources), the expectation that such analysis could be revealed to publicly support the link is wishful thinking at best, and bad faith argument at worst.
An important discrepancy or oddity in the reporting emphasizes the above while highlighting key differences in how the Anglo-American cyber defense entities work and are organized. In the introduction to the NCSC report, while CSE and NSA support both attribution and technical findings, the US’s Cybersecurity and Infrastructure Security Agency (CISA, part of the Department of Homeland Security) joins in as only supporting the technical analysis. CISA’s avoidance of attribution is further evidenced in its own report, as well as in metadata surrounding its YARA rules and malware analysis which others have pounced on. Yet instead of revealing some sort of interagency reporting discrepancy and sign of some conspiracy among FVEY-related organizations, the likely source of this difference lies more in institutional politics and bureaucratic organization.
The UK’s NCSC is fundamentally linked and reports to the UK’s signals intelligence agency, GCHQ. As such, the agency has both an existing trust and working relationship with the UK’s source of signals intelligence, likely including matters that enabled the “who”-based attribution in this instance to APT29. CISA is an entirely different animal, residing in a completely different part of government from the NSA with brittle or fragile working relationships and a history (going back to US-CERT and other organizational permutations) of poor information sharing when it comes to sensitive matters. While CISA is improving greatly, institutional inertia remains – and it is almost certainly the case that CISA was neither cleared for nor deemed necessary to receive whatever sensitive information enabled another part of government – DoD-based NSA – to make its attribution conclusion. Therefore, while CISA could confirm the technical aspects of available analysis, it lacked access to the information that allowed its partner organizations to make this more provocative claim.
So where does this leave us? While I hate the notion of “just trust us” when it comes to matters as significant as publicly identifying a foreign intelligence service as responsible for some activity, at the same time any party paying any attention to matters with minimal understanding of the organizations involved realizes we won’t soon get any of the information enabling the (publicly) contentious conclusion. Given the disclosure of multiple technical indicators and descriptions of activity, it may now be possible for other organizations to re-examine available information to discover the technical links not laid out by the intelligence organizations, but it seems absurd to think that these entities will reveal the nature or contents of the information that enabled their “who”-based link.
Personally, I view the disclosed activity as so different from known-prior APT29 behavior that it deserves to be carved out as a separate entity when using a behavior-centric mechanism for classification and tracking. The entity may report to the same masters as APT29 (FSB or SVR), but it certainly “looks different” from what came before. This is where I am a bit frustrated in that NCSC et al did not go further than “RIS” in their identification, as this would have enabled glimpses of Russian-directed espionage campaigns that could enable some untangling of previously identified activity – as we have been able to do for GRU-linked entities thanks to multiple DOJ indictments and other primary sources.
Having said that though, I highly doubt NSCS, CSE, and NSA would have publicly identified an entity as responsible for such behavior without having (what they considered to be) rock-solid proof. While it is possible they could be wrong, the potential backlash from such an error would be significant enough to ensure that these organizations were quite certain before making this recent public declaration. That such proof cannot (and likely will never) be shared with the public is unfortunate, but also understandable given its likely nature.
Finally, I find it interesting in this instance how little controversy surrounded NSA’s identification of Sandworm as GRU Main Center for Special Technologies unit 74455 compared to the currently-discussed claim from NCSC (which is also supported by NSA). I think part of this is due to the amorphous nature of APT29 itself. While consensus exists that this entity is “Russian” in nature and linked to that country’s intelligence services, no one has (publicly) gone much beyond the Estonian statement of “it is either FSB or SVR”. Where the NCSC et al report could have cleared some of this up, instead it adds to the continued shaky understanding of this adversary’s nature, which is a source of frustration for those of us who voyeuristically track such arcane items.
Yet from a defensive standpoint, enough information was disclosed – Russian strategic interests are using these tools and techniques to enable targeting and intrusions against these industries – to allow for defense. In a behavior-centric way tied to enabling operational threat intelligence and threat response, the report is a clear win. That it has subsequently fueled such ire among a very vocal minority of information security professionals is unfortunate, but given the confusion between attribution types and agency limitations in disclosing sensitive sources and methods, it was also likely inevitable.