Mapping the connections inside Russia’s APT Ecosystem – Check Point Research


Indeed, numerous Russian operations and malware families were publicly exposed by different security vendors and intelligence organizations such as the FBI and the Estonian Foreign Intelligence Services. While all of these shed light on specific Russian actors or operations, the bigger picture remains hazy.


Russia is known to conduct a wide range of cyber espionage and sabotage operations for the last three decades. Beginning with the first publicly known attacks by Moonlight Maze, in 1996, going through the Pentagon breach in 2008, Blacking out Kyiv in 2016, Hacking the US Elections in 2016, and up to some of the largest most infamous cyberattacks in history – targeting a whole country with NotPetya ransomware.


If the names Turla, Sofacy, and APT29 strike fear into your heart, you are not alone. These are known to be some of the most advanced, sophisticated and notorious APT groups out there – and not in vain. These Russian-attributed actors are part of a bigger picture in which Russia is one of the strongest powers in the cyber warfare today. Their advanced tools, unique approaches, and solid infrastructures suggest enormous and complicated operations that involve different military and government entities inside Russia.


Unprecedented scale research we conducted with Intezer in a joint effort reveals that whenever it comes to Russia’s cyber operations, Prof. Legasov’s claim does not hold up.


When Professor Valery Legasov was asked by the prosecutor – in the final episode of HBO’s popular TV show, “Chernobyl” –  what is the reason for the scandalous decision that led to the Chernobyl disaster, Legasov cites the same reason that other safety precautions are ignored and other corners are cut in the Soviet Union back in these years: “It’s cheaper.”