From moonlight maze to solarwinds how Russian APT groups operate?

Tämän tutkimuksen tavoitteena oli tutkia miten kaikista kehittyneimmät kyberhyökkäyksiä tekevät ryhmät toimivat. Tutkimuksen kohde valittiin koska aiheesta ei ole merkittävästi vertaisarvioitua tutkimusta, vaikka dataa ryhmistä on julkisesti saatavilla. Tutkittaviksi ryhmiksi valikoitui APT28, APT29...

Full description

Bibliographic Details
Main Author: Hönö, Olli
Other Authors: Informaatioteknologian tiedekunta, Faculty of Information Technology, Informaatioteknologia, Information Technology, Jyväskylän yliopisto, University of Jyväskylä
Format: Master's thesis
Language:eng
Published: 2023
Subjects:
Online Access: https://jyx.jyu.fi/handle/123456789/92296
_version_ 1826225753715376128
author Hönö, Olli
author2 Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_facet Hönö, Olli Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä Hönö, Olli Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_sort Hönö, Olli
datasource_str_mv jyx
description Tämän tutkimuksen tavoitteena oli tutkia miten kaikista kehittyneimmät kyberhyökkäyksiä tekevät ryhmät toimivat. Tutkimuksen kohde valittiin koska aiheesta ei ole merkittävästi vertaisarvioitua tutkimusta, vaikka dataa ryhmistä on julkisesti saatavilla. Tutkittaviksi ryhmiksi valikoitui APT28, APT29 ja Turla, kaikki kolme ovat Venäjään liitettyjä ryhmiä. Venäjään liitetyt ryhmät valittiin, koska nämä ryhmät tunnetaan aktiivisina, ryhmiä on yhdistetty useisiin korkean profiilin hyökkäyksiin ja ryhmistä on reilusti tietoa saatavilla. Näiden ryhmien toimintaa tutkittiin analysoimalla dataa, joka ryhmistä on saatavilla eri kyberturvallisuusalan toimijoilta. Tutkimuskysymyksiksi valikoitui ”Miten Venäjään liitetyt kehittyneet kyberhyökkäyksiä tekevät ryhmät toimivat?” ja ”Onko Venäjään liitetyillä kehittyneillä kyberhyökkäyksiä tekevillä ryhmillä keskenään samanlaiset toimintatavat?” Tutkimus toteutettiin käyttämällä kvalitatiivista sisällönanalyysiä tutkimusmenetelmänä. Tutkimuksen apuna käytettiin myös mallia, joka on luotu kyberhyökkäyksien tutkimiseen. Tämä malli antoi rakenteen, jolla pystyttiin kategorisoimaan ja vertailemaan ryhmien käyttämiä taktiikoita, tekniikoita ja toimintatapoja. Näistä tunnistetuista taktiikoista, tekniikoista ja toimintatavoista luotiin malli, jolla kuvattiin kunkin ryhmän tekemiä hyökkäyksiä. Näiden datasta tunnistettujen taktiikoiden, tekniikoiden, toimintatapojen ja mallien avulla vastattiin tutkimuskysymyksiin. Tutkimus osoitti, että nämä tutkitut ryhmät toimivat käyttämällä laajaa valikoimaa taktiikoita, tekniikoita ja toimintatapoja. Ryhmät kykenevät vaihtamaan käyttämiään taktiikoita, tekniikoita ja toimintatapoja tarvittaessa. Tutkitut ryhmät käyttävät yleensä hyökkäyksissään haitallisia sähköposteja tai houkuttelevat heidän uhrinsa murretuille verkkosivuille, joihin on lisätty haitallista sisältöä. Ryhmien hyökkäyksissä on yleensä tavoitteena arkaluonteisen tai salaisen tiedon varastaminen. Tutkimus myös osoitti, että ryhmät toimivat yleisesti ottaen samoilla toimintatavoilla. Joitakin eroja ryhmien toimintavavoissa oli kuitenkin löydettävissä. Löydetyt yhtäläisyydet ryhmien toimintatavoissa antavat puolustajille kohteita, joihin voidaan keskittyä ja mahdollisesti estää kaikkien ryhmien hyökkäyksiä. Löydetyt eriäväisyydet ryhmien kesken antavat tutkijoille mahdollisia jatkotutkimuksien kohteita. The goal of this thesis was to study how the most advanced and sophisticated cyberattack groups, also known as Advanced Persistent Threat (APT) groups, operate. This was done by analysing data that has been made available by the cyber security industry on APT28, APT29, and Turla, all APT groups that have been connected to Russia. Russian connected groups were chosen because these groups have been considered as particularly active, the groups have been connected to high-profile attacks, and there exists a large amount of data on the groups. The goal of the thesis was motivated by the lack of peer-reviewed research on this topic despite the publicly available data on these groups. The thesis answered the questions “How do APT groups connected to Russia operate?” and “Do APT groups connected to Russia operate in a similar manner?”. The research was conducted by performing qualitative content analysis on the data that is available about these cyberattack groups. A model called the Unified Kill Chain, which was designed to increase the understanding of advanced cyberattacks, was used in the analysis to provide additional structure. The model provided ways to categorize and compare various tactics, techniques, and procedures used by the groups that were studied. The tactics, techniques, and procedures that were identified were used to create models which depict identified attacks by these groups. These tactics, techniques, procedures, and the models which were identified from the data were then used to answer the research questions. The thesis showed that the cyberattack groups that were chosen to be studied operate with a wide selection of tactics, techniques, and procedures. The groups are capable of changing their tactics, techniques, and procedures if necessary. These groups generally perform their attacks by using malicious emails or by luring their victims into a compromised website with malicious content. These groups generally attack for the purpose of stealing sensitive information. The research also showed that the groups that were studied operate in mostly similar manners. However, some differences could be identified between the groups. The commonalities among the groups show areas where defenders can focus on and hinder the activities of all of these groups. The differences identified between the groups can potentially offer analysts or researchers points to focus on in future work.
first_indexed 2023-12-13T21:04:59Z
format Pro gradu
free_online_boolean 1
fullrecord [{"key": "dc.contributor.advisor", "value": "Lehto, Martti", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "H\u00f6n\u00f6, Olli", "language": "", "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2023-12-13T07:22:15Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2023-12-13T07:22:15Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2023", "language": "", "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/92296", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "T\u00e4m\u00e4n tutkimuksen tavoitteena oli tutkia miten kaikista kehittyneimm\u00e4t kyberhy\u00f6kk\u00e4yksi\u00e4 tekev\u00e4t ryhm\u00e4t toimivat. Tutkimuksen kohde valittiin koska aiheesta ei ole merkitt\u00e4v\u00e4sti vertaisarvioitua tutkimusta, vaikka dataa ryhmist\u00e4 on julkisesti saatavilla. Tutkittaviksi ryhmiksi valikoitui APT28, APT29 ja Turla, kaikki kolme ovat Ven\u00e4j\u00e4\u00e4n liitettyj\u00e4 ryhmi\u00e4. Ven\u00e4j\u00e4\u00e4n liitetyt ryhm\u00e4t valittiin, koska n\u00e4m\u00e4 ryhm\u00e4t tunnetaan aktiivisina, ryhmi\u00e4 on yhdistetty useisiin korkean profiilin hy\u00f6kk\u00e4yksiin ja ryhmist\u00e4 on reilusti tietoa saatavilla. N\u00e4iden ryhmien toimintaa tutkittiin analysoimalla dataa, joka ryhmist\u00e4 on saatavilla eri kyberturvallisuusalan toimijoilta. Tutkimuskysymyksiksi valikoitui \u201dMiten Ven\u00e4j\u00e4\u00e4n liitetyt kehittyneet kyberhy\u00f6kk\u00e4yksi\u00e4 tekev\u00e4t ryhm\u00e4t toimivat?\u201d ja \u201dOnko Ven\u00e4j\u00e4\u00e4n liitetyill\u00e4 kehittyneill\u00e4 kyberhy\u00f6kk\u00e4yksi\u00e4 tekevill\u00e4 ryhmill\u00e4 kesken\u00e4\u00e4n samanlaiset toimintatavat?\u201d \nTutkimus toteutettiin k\u00e4ytt\u00e4m\u00e4ll\u00e4 kvalitatiivista sis\u00e4ll\u00f6nanalyysi\u00e4 tutkimusmenetelm\u00e4n\u00e4. Tutkimuksen apuna k\u00e4ytettiin my\u00f6s mallia, joka on luotu kyberhy\u00f6kk\u00e4yksien tutkimiseen. T\u00e4m\u00e4 malli antoi rakenteen, jolla pystyttiin kategorisoimaan ja vertailemaan ryhmien k\u00e4ytt\u00e4mi\u00e4 taktiikoita, tekniikoita ja toimintatapoja. N\u00e4ist\u00e4 tunnistetuista taktiikoista, tekniikoista ja toimintatavoista luotiin malli, jolla kuvattiin kunkin ryhm\u00e4n tekemi\u00e4 hy\u00f6kk\u00e4yksi\u00e4. N\u00e4iden datasta tunnistettujen taktiikoiden, tekniikoiden, toimintatapojen ja mallien avulla vastattiin tutkimuskysymyksiin.\nTutkimus osoitti, ett\u00e4 n\u00e4m\u00e4 tutkitut ryhm\u00e4t toimivat k\u00e4ytt\u00e4m\u00e4ll\u00e4 laajaa valikoimaa taktiikoita, tekniikoita ja toimintatapoja. Ryhm\u00e4t kykenev\u00e4t vaihtamaan k\u00e4ytt\u00e4mi\u00e4\u00e4n taktiikoita, tekniikoita ja toimintatapoja tarvittaessa. Tutkitut ryhm\u00e4t k\u00e4ytt\u00e4v\u00e4t yleens\u00e4 hy\u00f6kk\u00e4yksiss\u00e4\u00e4n haitallisia s\u00e4hk\u00f6posteja tai houkuttelevat heid\u00e4n uhrinsa murretuille verkkosivuille, joihin on lis\u00e4tty haitallista sis\u00e4lt\u00f6\u00e4. Ryhmien hy\u00f6kk\u00e4yksiss\u00e4 on yleens\u00e4 tavoitteena arkaluonteisen tai salaisen tiedon varastaminen. Tutkimus my\u00f6s osoitti, ett\u00e4 ryhm\u00e4t toimivat yleisesti ottaen samoilla toimintatavoilla. Joitakin eroja ryhmien toimintavavoissa oli kuitenkin l\u00f6ydett\u00e4viss\u00e4.\nL\u00f6ydetyt yht\u00e4l\u00e4isyydet ryhmien toimintatavoissa antavat puolustajille kohteita, joihin voidaan keskitty\u00e4 ja mahdollisesti est\u00e4\u00e4 kaikkien ryhmien hy\u00f6kk\u00e4yksi\u00e4. L\u00f6ydetyt eri\u00e4v\u00e4isyydet ryhmien kesken antavat tutkijoille mahdollisia jatkotutkimuksien kohteita.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "The goal of this thesis was to study how the most advanced and sophisticated cyberattack groups, also known as Advanced Persistent Threat (APT) groups, operate. This was done by analysing data that has been made available by the cyber security industry on APT28, APT29, and Turla, all APT groups that have been connected to Russia. Russian connected groups were chosen because these groups have been considered as particularly active, the groups have been connected to high-profile attacks, and there exists a large amount of data on the groups. The goal of the thesis was motivated by the lack of peer-reviewed research on this topic despite the publicly available data on these groups. The thesis answered the questions \u201cHow do APT groups connected to Russia operate?\u201d and \u201cDo APT groups connected to Russia operate in a similar manner?\u201d.\nThe research was conducted by performing qualitative content analysis on the data that is available about these cyberattack groups. A model called the Unified Kill Chain, which was designed to increase the understanding of advanced cyberattacks, was used in the analysis to provide additional structure. The model provided ways to categorize and compare various tactics, techniques, and procedures used by the groups that were studied. The tactics, techniques, and procedures that were identified were used to create models which depict identified attacks by these groups. These tactics, techniques, procedures, and the models which were identified from the data were then used to answer the research questions.\nThe thesis showed that the cyberattack groups that were chosen to be studied operate with a wide selection of tactics, techniques, and procedures. The groups are capable of changing their tactics, techniques, and procedures if necessary. These groups generally perform their attacks by using malicious emails or by luring their victims into a compromised website with malicious content. These groups generally attack for the purpose of stealing sensitive information. The research also showed that the groups that were studied operate in mostly similar manners. However, some differences could be identified between the groups.\nThe commonalities among the groups show areas where defenders can focus on and hinder the activities of all of these groups. The differences identified between the groups can potentially offer analysts or researchers points to focus on in future work.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by Paivi Vuorio (paelvuor@jyu.fi) on 2023-12-13T07:22:15Z\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2023-12-13T07:22:15Z (GMT). No. of bitstreams: 0\n Previous issue date: 2023", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "131", "language": "", "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.language.iso", "value": "eng", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": null, "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.subject.other", "value": "Advanced Persistent Threat", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "APT", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "APT-ryhm\u00e4t", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.title", "value": "From moonlight maze to solarwinds : how Russian APT groups operate?", "language": "", "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202312138287", "language": "", "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Master\u2019s thesis", "language": "en", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Pro gradu -tutkielma", "language": "fi", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Informaatioteknologia", "language": "fi", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Information Technology", "language": "en", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Kyberturvallisuus", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Kyberturvallisuus", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "yvv.contractresearch.funding", "value": "0", "language": "", "element": "contractresearch", "qualifier": "funding", "schema": "yvv"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.copyright", "value": "\u00a9 The Author(s)", "language": null, "element": "rights", "qualifier": "copyright", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "openAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.subject.oppiainekoodi", "value": "601", "language": "", "element": "subject", "qualifier": "oppiainekoodi", "schema": "dc"}, {"key": "dc.subject.yso", "value": "menettelyt", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "tekniikat", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "taktiikka", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "verkkohy\u00f6kk\u00e4ykset", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "kyberturvallisuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "procedures", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "techniques", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "tactics", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber attacks", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}]
id jyx.123456789_92296
language eng
last_indexed 2025-02-18T10:54:53Z
main_date 2023-01-01T00:00:00Z
main_date_str 2023
online_boolean 1
online_urls_str_mv {"url":"https:\/\/jyx.jyu.fi\/bitstreams\/99f41e15-39c7-4cdc-9bb5-7aae331b178b\/download","text":"URN:NBN:fi:jyu-202312138287.pdf","source":"jyx","mediaType":"application\/pdf"}
publishDate 2023
record_format qdc
source_str_mv jyx
spellingShingle Hönö, Olli From moonlight maze to solarwinds : how Russian APT groups operate? Advanced Persistent Threat APT APT-ryhmät Kyberturvallisuus 601 menettelyt tekniikat taktiikka verkkohyökkäykset kyberturvallisuus procedures techniques tactics cyber attacks cyber security
title From moonlight maze to solarwinds : how Russian APT groups operate?
title_full From moonlight maze to solarwinds : how Russian APT groups operate?
title_fullStr From moonlight maze to solarwinds : how Russian APT groups operate? From moonlight maze to solarwinds : how Russian APT groups operate?
title_full_unstemmed From moonlight maze to solarwinds : how Russian APT groups operate? From moonlight maze to solarwinds : how Russian APT groups operate?
title_short From moonlight maze to solarwinds
title_sort from moonlight maze to solarwinds how russian apt groups operate
title_sub how Russian APT groups operate?
title_txtP From moonlight maze to solarwinds : how Russian APT groups operate?
topic Advanced Persistent Threat APT APT-ryhmät Kyberturvallisuus 601 menettelyt tekniikat taktiikka verkkohyökkäykset kyberturvallisuus procedures techniques tactics cyber attacks cyber security
topic_facet 601 APT APT-ryhmät Advanced Persistent Threat Kyberturvallisuus cyber attacks cyber security kyberturvallisuus menettelyt procedures tactics taktiikka techniques tekniikat verkkohyökkäykset
url https://jyx.jyu.fi/handle/123456789/92296 http://www.urn.fi/URN:NBN:fi:jyu-202312138287
work_keys_str_mv AT hönöolli frommoonlightmazetosolarwindshowrussianaptgroupsoperate