VMware Russian APT Threat Report


by Tom Kellermann and Greg Foss

Understanding Nation-State Motives and APT Groups

In 2013, the Russian chief of the General Staff gave an infamous speech outlining an operational concept to confront the west with hybrid warfare. The Gerasimov doctrine is a whole-of-government concept that fuses hard and soft power across many domains and transcends boundaries between peace and wartime.

The doctrine is an effort to develop an operational stratagem for Russia’s confrontation with the west. A stratagem founded in the principle that the Achilles heel of the U.S. is its dependency on technology, a dependency that can be undermined and corrupted via cyberespionage. Four primary APT groups serve as the vanguard—Turla, APT28, APT29 and the Sandworm Team—along with various others that are suspected to be involved with cyberespionage on behalf of the Russian government.

The threat actors who have risen to prominence following the SolarWinds compromise are also believed to be highly skilled Russian cyber operatives.

This report will explore the tactics, techniques and procedures (TTPs) of these groups over the years as well as predictions on the subsequent evolution of their operations in 2021 and beyond. It brings together research and analysis from the VMware Howlers, the VMware Threat Analysis Unit™, and the security industry at large.