September 4, 2018 • Amanda McKeon
Researchers from Recorded Future’s Insikt Group have previously analyzed both the U.S. and Chinese national vulnerability databases, examining the speed of publication of cybersecurity vulnerabilities, and how each respective country considers its NVD in the broader context of the national mission of cyber defense and operations. Recorded Future’s research team recently set their investigative sights on Russia’s vulnerability database to see how it compares.
Priscilla Moriuchi is director of strategic threat development at Recorded Future, and she joins us to share what they found.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and thanks for joining us for episode 72 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Researchers from Recorded Future’s Insikt Group have previously analyzed both the U.S. and Chinese national vulnerability databases, examining the speed of publication of cybersecurity threats and how each respective country considers its NVD in the broader context of the national mission of cyber defense and operations. Recorded Future’s research team recently set their investigative sights on Russia’s vulnerability database to see how it compares.
Priscilla Moriuchi is director of strategic threat development at Recorded Future, and she joins us to share what they found. Stay with us.
We’ve done a bunch of research in the last year on various countries’ national vulnerability databases, particularly the U.S.’s and China’s, and we realized over the course of the last year that there are a lot of things you can learn about — not just vulnerabilities and how fast countries publish, but about the countries themselves, how they approach information security. From an intelligence perspective, we found that there was invaluable data for anticipating and maybe even preventing a cyber intrusion. So, we decided to apply that same technique to Russia’s national vulnerability database, which is run broadly by its military.
It’s a completely different setup. I don’t even know if I would call it a database, broadly, because it’s so incomplete, but it’s really a different setup than either the U.S.’s NVD or China’s, so we just dug into using kind of the same techniques — how they publish, when they publish — all kinds of stuff like that.
So, before we dig into how Russia does what they do, can you give us a little brief overview of how the U.S. and how China handles theirs and the parts it plays in their overall attitude toward defense?
So, the U.S.’s national vulnerability database, or NVD, was the first one to be stood up. The U.S. NVD is run by NIST, or the National Institute of Standards and Technologies, and it’s part of DHS and the Department of Commerce, jointly. It’s run mainly as a transparency function so that general consumers and businesses in the U.S. and across the world have a centralized repository for looking at vulnerabilities on their computers, responding to them, installing the patches, and upgrading their information security.
For most of the IT world, the U.S. NVD has the gold standard in terms of the content it publishes, the type of vulnerabilities it addresses, and the comprehension of its database. The other one we’ve taken a look at is China’s national vulnerability database, or CNNVD. This one is different from the U.S. NVD in that it’s run by their equivalent of the CIA, which is the Ministry of State Security. It’s run by an intelligence service. China’s vulnerability database is very fast in publishing vulnerabilities broadly. It’s faster than the United States. It includes some vulnerabilities that the United States database does not, but broadly, China’s database is used by its intelligence services to look for vulnerabilities that the intelligence services could be using in their own cyber operations.
So, China has done quite a poor job of balancing the kind of transparency and public service mission of a vulnerability database with the intelligence mission of the organization who runs it. So there’s quite a different application of vulnerability management than the United States database.
And these databases are widely available to anyone? You don’t have to be a resident of a particular country to be able to see what’s in them?
No, no, they’re available to everyone. It’s just a language barrier issue for most people. The U.S. database is in English, China’s is in Chinese, and Russia’s is in Russian.
All right, well, take us through the background. What happened when Russia decided to spin up their own here?
Yeah. So, Russia decided to start their own vulnerability database in 2014. That was about 14 years later than the United States, and at that point, you know, there’s 14 years of vulnerabilities for them to catch up on. Their database is sort of broadly known as the BDU. There’s not a great English translation for it, so just call it the BDU.
So in 2014, they started reporting vulnerabilities. There were about 1,000 reported that year, and then they really ramped up publication in 2015. Then, after that, publication went down again in 2016, ‘17, and ‘18 to much smaller … Maybe two to 3,000 vulnerabilities per year.
So, on average, you see, even though Russia started their vulnerability database quite a deal later than the United States, they only report about 10 percent of vulnerabilities that are identified globally. They only published 10 percent. Their vulnerability database, like I mentioned before, is run by the Russian military, by an organization there called Federal Service for Technical and Export Control, or FSTEC, as we refer to it.
The mission of that organization is not like the U.S. NIST. It’s a military-run organization. Its mission is to protect the information systems of Russia’s government and critical infrastructure. So, with Russia, our research dives into the fact that they don’t even pretend to have a public service mission like China does. They publish only vulnerabilities that are used on Russian information systems or in Russian critical infrastructure that they are concerned about protecting. So that’s a real contrast to both how the U.S. approaches vulnerability management and to how China approaches it as well.
Now, the Russian database — does it end up being a subset of the U.S. database? It’s interesting to me that they didn’t start out by just vacuuming up our database and using that as a starting point.
Yeah. It’s an interesting study because they could have very well done that, because like you said, especially the U.S. vulnerability database — it’s open to everyone. You can harvest the information from it. So, they could have started out with … I think at that point, in 2014, the U.S. had somewhere around 80,000 vulnerabilities, so they could have started out from that point.
Russia’s vulnerability database, also, is really slow. On average, the delay between the time that a vulnerability is revealed and by the time it’s published in the Russian database, even though they only publish 10 percent of all vulnerabilities, is 95 days. So it’s over three months, which is really substantial and it doesn’t make a lot of sense for anyone to really rely on that database.
Broadly, too, if you look at the technologies that they focus on — what we would call “over covering” — there are a number of technologies that they cover substantially more than 10 percent of the vulnerabilities for. These include widely-used software and hardware technologies and vendors like Adobe, Linux, Microsoft, Apple, Mozilla, Google, those types of things.
From our perspective, because of Russia’s overt mission, this database is explicitly for protecting Russian information systems. You can really learn more about what Russia has and what Russia runs on their own state information systems, than really about what Russia is seeking to target for cyber operations abroad.
So this is more inward facing, I guess, to people within the organization to point out, “Hey, these are the things that deserve your attention.”
Yes. So I think the other thing that we’ve learned is, there’s a couple of missions for FSTEC, this parent organization to the vulnerability database. First is publication of these vulnerabilities and providing what we would call a “baseline” for Russian information systems. They all must have patched all of these vulnerabilities, and the vulnerabilities in the BDU form that baseline. So there’s a standard baseline across Russian government information systems. Here is what it is — it’s in the BDU. Find it and do it.
The second part of this, though, is that the larger mission of FSTEC is to do what’s called these “reviews” of technology, or technology licensing. This is a technique that’s used to a certain extent by China as well, in which the government — the Russian or Chinese government — has mandated technology and product reviews of particularly foreign information technology that companies would like to sell in their domestic marketplaces.
And in this case, the government, FSTEC, requires that people or companies get a license, and in order to get that license, they have to subject their software or hardware to these technology reviews that are conducted by FSTEC. The reviews, in many cases, require a source code review by members of Russia’s military, which FSTEC is, and then they’ll hand out a license for a company to be able to sign in Russia.
The BDU is also a baseline of security for these technology licensing reviews, but it also provides a legitimate cover for the Russian military to point to and say, “Look, we also run this vulnerability disclosure program. We need to discover any vulnerabilities in your software to keep our own country’s information technology secure.”
So in that sense, it’s not just an ineptitude that Russia covers only 10 percent of vulnerabilities, or it’s not just that they’re concerned only about Russian information systems — which they primarily are — but it’s also a function of this technology review program and providing this kind of legitimate cover to say: “Here’s what we require. This is the technological security baseline for you. Look at our database. We are a legitimate public service organization as well.”
Now, one of the things that you look at in your research here is, you contrast the database against known Russian APTs. Can you take us through what you learned there?
Yeah, so this was really interesting, I think. What we did is, we tried to apply one of the same techniques we used with the U.S. and Chinese research, which was to identify vulnerabilities exploited by each country’s APTs or certain groups, and to determine how many of those were reported by each country’s vulnerability database, and try to figure out what that means. So, for China, for example, very few of their vulnerabilities were reported in a timely manner by CNNVD. And during that publication line, we discovered in a number of cases that there were Chinese APTs actually exploiting those vulnerabilities in their own operations.
For Russia, interestingly enough, it was the complete opposite. So in this case, we identified 49 vulnerabilities that Russian threat groups were actively exploiting. And among those, 49, 30, or 61 percent were actually published in the BDU, so that’s substantially higher than China. Among those 30 that were published, which is well over half, APT 28, which is attributed to Russia’s main intelligence director, or the GRU, was published in the BDU. That’s a substantial amount, and it amounts to FSTEC publishing 60 percent of vulnerabilities being actively exploited by the Russian military.
In this case, we think that there are two fundamental reasons for that. The first could be that, since FSTEC’s mission is to protect Russian government information systems, the Russian government systems also utilize these programs because they’re very widely used software and hardware vulnerabilities. So the same vulnerabilities that Russian APTs are exploiting are also present on Russian information systems, and they’re using the BDU to patch them and clean them up.
The second is — which I think is also likely — that military intelligence services are obligated to protect Russian information systems with the knowledge that they possess on vulnerabilities, in addition to their offensive cyber operations. They have a dual mandate. In this case, our assessment that the GRU, for example, has this dual mandate for one, obviously, to use cyber operations to conduct intelligence operations and collect information on foreign intelligence targets abroad, and second, for this information security and defense mission in which they’re also obligated to use the information and the knowledge that they have about offensive operations to protect the Russian government information systems.
But I think that’s not the most likely scenario that we see. What you can learn from the BDU database, is that one, what kind of information systems and technologies are in Russian government, but two, that the GRU also has these balancing mandates, protecting Russian state and offensive cyber operations.
Right. Saying to everybody, “Hey, this is where we’ve placed the virtual landmines, so heads
Yeah, kind of. And that’s not entirely unusual. Many U.S. intelligence agencies also have those dual mandates. A part of them conduct foreign intelligence operations overseas and the other side conducts the defensive mission. So it wouldn’t be unusual for an intelligence service to balance those two dueling mandates.
Now, you sort of wrap up your research here by asking the question, “Why does FSTEC publish so few vulnerabilities?” You’ve walked through some likely hypotheses, so can you take us through those?
Sure. So, broadly, we struggled for a long time with, why put the effort in to report so few vulnerabilities? Our broad survey of — we would just be both searching the internet and also talking to some of the contacts that we knew in information security and corporate world. Nobody utilizes the BDU. It’s not a primary source for any company or any person or organization. So, we just kind of struggled with, why does Russia even devote the resources to publishing this meager amount, this 10 percent that they do? So, we came up with three hypotheses and we scratched off two.
So, our first one was that FSTEC is just vastly under-resourced, and it only has the ability to focus on very key technologies that Russian users utilize. So, the hypothesis there is, they’re all under-resourced and overworked, and they can’t possibly do everything. We ended up crossing that one off the list because its own documents say that FSTEC has over 1,100 employees, and that most of those employees are responsible for this technology review and vulnerability information security mandate. That’s more than NIST, which runs the U.S. NVD, currently has. That was a hypothesis we crossed off quite quickly, because it was clear that FSTEC was not under-resourced.
The second hypothesis we tackled was that FSTEC has these dual offensive and security missions, and that it publishes similarly to China’s NVD — that it has to balance the demands of offense against the demands of defense. But in all the documentation that we review, we really found that FSTEC doesn’t have an offensive cyber mission. It’s really focused almost solely on defense, and the technology reviews are mainly secure Russian government information systems used to gain insight into these foreign technologies, not for offensive cyber mission operations.
So that left us with our last hypothesis, which was the most well supported, and that is that FSTEC is a military organization. It’s publishing just enough content in the BDU to be credible as a national vulnerability database, and FSTEC really just has a defensive mission. They’re just trying to protect Russian government information systems, and part of that is to provide this baseline for the information systems vulnerability management. The larger part of their database is simply to provide this cover right for their foreign technology inspections and their code reviews of foreign software. So unlike China’s national vulnerability database, for example, Russia does not — it doesn’t seem to — delay publication of a vulnerability so that the military can utilize it in offensive cyber operations before they publish it. We just saw no evidence to support that.
That’s interesting. And I guess that ties into how long it takes them to publish anything.
Right. They take a long time to publish anything, and if anything, the data actually points to the fact that Russia’s APT groups are actually utilizing vulnerabilities that are published in the BDU, not vulnerabilities that are not published in the BDU.
Now, do any vulnerabilities show up in their database that don’t show up in the other two — the U.S. and China’s?
Russia has a slightly different system that’s not completely analogous to the CVE numbers used by the U.S. and China. They report things by vulnerability, for example, and they have a different numbering scheme. So, it’s not 100 percent analogous. But broadly, I think there are almost no vulnerabilities in the BDU that are not in the U.S. NVD.
So, what are the overall “take-homes” here for you? What do you walk away with in terms of being informed about how the Russians were approaching this sort of thing?
So I think if you talk about why anyone should follow the BDU, or what we are learning here, there are a few takeaways. So, one, from an intelligence perspective, if you as a person or a company or professional are interested in what Russia is running on their own government information systems, then following the BDU gives you great insight into that.
Two, there’s a possibility that the over-reported technologies or the over-reported vendors — the technologies that Russia reports substantially more than 10 percent of — could also be the vulnerabilities that are exploited by Russian APTs, specifically the GRU and APT28. Because in that case, the data showed that over 60 percent of the vulnerabilities used by APT28 were being reported in the BDU. We don’t have a direct link that confirms that. I think it’s a moderate-confidence possibility and it’s something for defenders to be utilizing as a source of information anyway.
And third, that Russia military intelligence also have the same obligations in which they have the obligation to conduct offensive cyber operations for intelligence collection, but also, they are obligated to use their own cyber knowledge to protect Russia’s state information systems as well.
And then, lastly, that this database is being used as a cover for foreign technology reviews. As companies were seeking to sell software in Russia, you should be under no illusion of who you are dealing with. The FSTEC is the Russian military, period. The Russian military serves the interests of the Russian state, and of Russia’s national security, more broadly. Subjecting your technologies to inspection by this organization yields a number of secondary and tertiary risks to both your technology and to the potential customers and users globally.
So that’s another point that we want to foot stomp, that these technology inspections that FSTEC is broadly being used to legitimize are still run by the Russian military, and they’re not these benevolent inspections in which an entity is looking for vulnerabilities in their code. They’re requiring these inspections to get more information on these technology companies to support and protect Russia’s own government and information systems.
Our thanks to Priscilla Moriuchi for joining us.
You can read the research that she co-wrote with Dr. Bill Ladd, also from Recorded Future. It’s titled “Pavlov’s Digital House: Russia Focuses Inward for Vulnerability Analysis.” That’s on the Recorded Future website in the blog section.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.