Russia’s Cyber Operations Groups
Some time ago I published a post where I was briefly discussing some of the most well known APT aliases associated with specific government organizations of the Russian Federation. Since recently we had lots of additional information being released from official sources (US and UK governments), I decided to make this into a more thorough diagram.
The sources used are listed below.
I hope that they weren’t wrong, but if you notice any mistakes, missing details or incorrect information please let me know to update it accordingly.
Last update: 17 MAY 2023
Sources
- Välisluureamet (Estonia’s Foreign Intelligence Service): International Security and Estonia 2018
- Välisluureamet (Estonia’s Foreign Intelligence Service): International Security and Estonia 2019
- Välisluureamet (Estonia’s Foreign Intelligence Service): International Security and Estonia 2020
- Wikipedia: Fancy Bear
- Wikipedia: Sandworm
- Wikipedia: Cozy Bear
- Wikipedia: Cyberwarfare by Russia
- Wikipedia: GRU (Russian Federation)
- Wikipedia: Foreign Intelligence Service (Russia)
- Wikipedia: Federal Security Service
- Wikipedia: Vulkan files leak
- EU Commission: Amending Decision (CFSP) 2019/797 concerning restrictive measures against cyber-attacks threatening the Union or its Member States
- EU Commission: Achieving a sovereign and trustworthy ICT industry in the EU
- US Department of Justice: U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations
- US Department of Justice: Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace
- US Department of Justice: Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide
- US Department of Justice: Russian National Charged with Supplying U.S. Technology to the Russian and North Korean Governments
- US Department of Justice: Justice Department Announces Five Cases as Part of Recently Launched Disruptive Technology Strike Force
- US Congressional Research Service: Russian Cyber Units
- US Congressional Research Service: Russian Military Intelligence: Background and Issues for Congress
- US CISA Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
- US CISA Hunting Russian Intelligence “Snake” Malware
- US Embassy & Consulates in Russia: United States Charges Russian Military Intelligence Officers for Cyber Crimes
- US Department of Treasury: Treasury Targets Sanctions Evasion Networks and Russian Technology Companies Enabling Putin’s War
- US CISA: Alert (AA22-083A)
- Wired: Top Secret Russian Unit Seeks to Destabilize Europe, Security Officials Say
- UK NCSC: NCSC welcomes EU cyber sanctions against Russia following 2015 attack on Germany’s Parliament
- UK NCSC: UK and US call out Russia for SolarWinds compromise
- UK NCSC: UK exposes Russian spy agency behind cyber incidents
- UK Government: Russia’s FSB malign activity: factsheet
- Radio Free Europe Radio Liberty: Investigative Report: On The Trail Of The 12 Indicted Russian Intelligence Officers
- Bellingcat: Russian Vehicle Registration Leak Reveals Additional GRU Hackers
- Supo (Finnish Security Intelligence Service): National Security Overview 2018
- Supo (Finnish Security Intelligence Service): National Security Overview 2019
- Supo (Finnish Security Intelligence Service): National Security Overview 2020
- Security Artwork: The Russian ICC (V): FSB
- Lab 52: (Cyber) GRU (I): Introduction
- Lab 52: Cyber (GRU) (II): historical SIGINT
- Lab 52: (Cyber) GRU (III): July 2018
- Lab 52: (Cyber) GRU (IV): September 2018
- Lab 52: (Cyber) GRU (V): October 2018
- Lab 52: (Cyber) GRU (VI): and now what?
- Lab 52: (Cyber) GRU (VIII): Structure. Unit 74455
- US NSA/CSS: Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Compromise U.S. and Allied Networks
- US NSA/CSS: Russian SVR Targets U.S. and Allied Networks
- US White House: FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian Government
- US White House: Background Press Call by Senior Administration Officials on Russia
- RAND: Understanding Russian Subversion
- NATO CCD COE 2020 12th International Conference on Cyber Conflict: The Past, Present, and Future of Russia’s Cyber Strategy and Forces
- NATO CCD COE Cyber Threats and NATO 2030: Horizon Scanning and Analysis
- CNA: Russia’s Approach to Cyber Warfare
- US State Department: GEC Special Report – Pillars of Russia’s Disinformation and Propaganda Ecosystem
- US Select Committee on Intelligence: Russian Active Measures Campaigns and Interference in the 2016 US Election
- US Select Committee on Intelligence: Report on Russian Active Measures
- FAS: The SVR: Russia’s Intelligence Service
- Government of the Netherlands: Letter to the House of Representatives regarding Disruption of a GRU cyber operation in The Hague
- NOS: Dutch intelligence first to alert U.S. about Russian hack of Democratic Party
- Netherlands NCSC: Cyber Security Assessment Netherlands CSAN 2015
- FireEye: APT28 – A Window into Russia’s Cyber Espionage Operations?
- Global Security: SVR Organization
- SSU: Technical Report on Gamaredon/Armageddon Group: FSB RF cyber attacks against Ukraine
- The Record: Ukraine discloses identity of Gamaredon members, links it to Russia’s FSB
- MITRE ATT&CK Groups: TEMP.Veles
- Dragos Inc.: TRISIS Malware: Analysis of Safety System Targeted Malware
- Malpedia: XENOTIME
- Mandiant: Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
- FGUP Central Research Institute of Chemistry and Mechanics
- Kaspersky Lab response clarifying the inaccurate statements published in a New York Times op-ed on September 4, 2017
- News 9 Live: The Vulkan Files
- The Guardian: ‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics
- Mandiant: Contracts Identify Cyber Operations Projects from Russian Company NTC Vulkan
ChangeLog
- Version 5.8 (17 May 2023: Fixed Turla/SNAKE attribution (thanks to will)
- Version 5.5 (17 May 2023): Added Military Unit 33949 (from US DoJ)
- Version 5.0 (24 February 2023): Added Military Unit 43753 (from US DoJ)
- Version 4.6 (07 April 2022): Added the insignia of FSB’s 16th Centre (from UK gov)
- Version 4.5 (01 April 2022): Added the FGUP TsNIIKhM
- Version 4.0 (28 March 2022): Updated the FSB’s 16th Center
- Version 3.5 (04 November 2021): Added 4th Section of SCO
- Version 3.0 (25 April 2021): Reorder the diagram to be easier to read
- Version 2.5 (25 April 2021): Added the missing parent organizations
- Version 2.2 (24 April 2021): Added the missing flag
- Version 2.0 (19 April 2021): Separate 6th Dir. centers (thanks to @WylieNewmark)
- Version 1.0 (16 April 2021): First publication.
xorl %eax, %eax 
turla is under the 16th center according to the document https://web.archive.org/web/20230510081641/https://flashpoint.io/wp-content/uploads/Application-for-Search-Warrant-Snake-Malware-Network.pdf
please don’t post my comment thanks
will
May 17, 2023 at 12:55
You’re right, that was the previous attribution. As per the US government: https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_1.pdf it’s the 16th Center. I’ll update it.
Thank you!
xorl
May 17, 2023 at 18:09