연구(Insikt)

Pavlov’s Digital House: Russia Focuses Inward for Vulnerability Analysis [Report]

게시일: 2018년 7월 16일
작성자: 프리실라 모리우치와 닥터. 빌 래드

insikt-group-logo-updated.png

Click Here 를 클릭하여 전체 분석 내용을 PDF로 다운로드하세요.

Scope Note: Over the course of the past year, Recorded Future has examined the publication speeds, missions, and utility of the national vulnerability databases (NVDs) of two countries: China and the United States. We decided to apply the same analytic techniques to Russia’s vulnerability database to see what we could learn. This report includes a detailed analysis of vulnerabilities published by the Federal Service for Technical and Export Control of Russia (FSTEC), official Russian government documents, Recorded Future data, and open source intelligence (OSINT). The data analyzed for this report was compiled on March 30, 2018.

Executive Summary

Russia’s vulnerability database is highly focused. However, it is incomplete, slow, and likely intended to support the control of the Russian state over technology companies and users. Generally, Russia publishes only 10 percent of known vulnerabilities, is on average 83 days slower than China’s National Vulnerability Database (NVD), 50 days slower than the U.S. NVD, and incomplete in the few technologies it does cover.

주요 판단

  • Russia’s vulnerability database is run by the Federal Service for Technical and Export Control of Russia (FSTEC). FSTEC is the military organization responsible for protecting state secrets and supporting counterintelligence and counterespionage operations.

  • FSTEC’s vulnerability database is also known as the BDU (Банк данных угроз безопасности информации). The BDU has published only 11,036 vulnerabilities of the 107,901 CVEs reported by NVD (approximately 10 percent).

  • FSTEC은 러시아 국가 지원 위협 그룹이 악용한 취약점의 61%를 공개했습니다. 이는 기준치인 10%를 크게 상회하는 수치이지만, 러시아 정보기관이 FSTEC 발행에 미친 영향을 판단하기에는 데이터가 불충분합니다.

  • FSTEC은 주로 러시아 국가 정보 시스템에 위협이 되는 취약점으로 BDU 데이터베이스를 채웁니다. 이를 통해 연구자들은 러시아 정부 네트워크에서 어떤 기술, 하드웨어 및 소프트웨어가 사용되는지에 대한 정보를 얻을 수 있습니다.

배경

The Federal Service for Technical and Export Control of Russia (FSTEC) was established in 2004 and is subordinate to the Ministry of Defense (MOD). FSTEC has a central office in Moscow, seven regional “headquarters,” and an information security research and testing institute known as the State Science and Research Experimental Institute of Technical Information Protection Problems of FSTEC, or the GNIII PTZI FSTEC.

russian-vulnerability-analysis-1.png

모스크바의 FSTEC 본사, 모스크바 105066, 모스크바, ul. 스타라야 바스만나야, 17.

The prime minister’s official website describes FSTEC as “a federal executive body responsible for implementing government policy, organizing interdepartmental cooperation and interaction, and exercising special and control functions in the area of state security.”

2016년에 발표된 추가 공식 문서에 따르면 FSTEC은 국가 정책을 실행하고 부서 간 협력을 조직하며 다음과 같은 분야에서 국가 안보의 특수 기능을 수행합니다:

  • 정보 시스템 보안
  • 러시아에 대한 해외 기술 위협 대응
  • 국가 기밀의 보안
  • 수출 관리

As intimated in the organization’s title, the first three areas fall squarely under the technical control mission. According to our extensive review of FSTEC documentation, export control likely assumes a much smaller share of FSTEC resources than all of the tasks and functions under technical control. The technical control mission covers internal control, state information systems, and foreign technology sold in Russia.

While subordinate to the MOD, FSTEC has a much longer and more extensive list of authorities, particularly in the realms of technical control and security of state secrets. According to documentation listed on FSTEC’s website, the organization also regulates commerce surrounding materials that could be used in chemical and nuclear weapons, counters technical intelligence, issues opinions on the use of Russian territory for foreign scientific research, and finances research on the study of radiation emitted from different types of systems and devices.

FSTEC에는 직급별로 임명된 고위 공무원들로 구성된 이사회도 있습니다. 이 위원회에는 러시아군 총참모부 제1차장, 내무부 차관, 연방보안국(FSB) 산하 경제보안국 국장, 소비에트 연방보안국(SVR) 부국장 등이 포함되어 있습니다. 이사회의 주요 기능은 FSTEC 예산을 설정하고 관리하며 부서 간 기능을 조정하는 것입니다.

FSTEC의 네 가지 주요 기능에 따른 수많은 책임 중 국가 기밀 보호를 위해 FSB와 협력하고, 기술 방첩 및 방첩을 지원하며,1 국가 기밀을 다루는 공무원들의 통신을 감시할 수 있는 권한도 갖고 있습니다.

FSTEC is currently run by Director Vladimir Selin, who has been in that position since May 2011. Selin is supported by one First Deputy Director, Sergey Yakimov, and four Deputy Directors. In addition to his position as Director of FSTEC, Selin is also a member of the Defense Ministry Board, and Deputy Chairman of the Commission on State Secrets (on which he sits with Chief of the General Staff of the Russian Military General Valery Gerasimov).

According to official state documents, in 2015 FSTEC was assigned a total of 1,111 employees, not including security, protection, or maintenance personnel. Of the 1,111 employees, 225 are located in the Moscow headquarters, and the remaining 886 are spread out over FSTEC’s seven regional offices.

Given the mission focus on technical control, it is likely that the majority of these 1,111 employees work on issues related to this mandate, while a much smaller minority support FSTEC’s export control work.

FSTEC’s Vulnerability Publication Process

FSTEC also runs a vulnerability publication database, to which it provides public access via the website bdu.fstec.ru/vul. The homepage states that the purpose of the database is to “increase the awareness of interested persons in existing threats to information security systems” and that it is designed for a wide range of customers, operators, developers, information security professionals, testing laboratories, and certification bodies.

FSTEC also states that the database “contains information about the main threats to information security and vulnerabilities, primarily those characteristic of state information systems and automated systems for managing production and technological processes of critical facilities.2

russian-vulnerability-analysis-2.png

Homepage of FSTEC’s Security Threats Database, which lists the purpose and intended audience for the data.

FSTEC does not claim that this database is exhaustive. Instead, it focuses on publishing vulnerabilities for information systems used by the state and in “critical facilities.” This mission is also exhibited in the responsibilities and activities of FSTEC’s seven regional departments. The majority of tasks levied upon each of the regional headquarters are overwhelmingly centered around countering foreign technical intelligence and protecting state information systems and data within each district. Of the 10 or 11 tasks levied upon each of the regional headquarters, the top seven all concern countering foreign technical intelligence collection and protecting state information systems, while the remaining relate to export control.

데이터베이스에 대한 위협 또는 취약점(BDU라고 함)을 보고하는 것은 비교적 간단합니다. FSTEC은 취약점 항목 자체와 거의 일치하는 제출 양식을 제공합니다.

russian-vulnerability-analysis-3.png

FSTEC 취약점 제출 양식.

russian-vulnerability-analysis-4.png

FSTEC BDU entry for CVE-2018-8148.

FSTEC은 전체 데이터베이스를 Excel 또는 XML 파일로 검색할 수 있는 간단한 다운로드 링크도 제공합니다. 이러한 다운로드에는 내부 ID, 해당 CVE 식별자, 영향을 받는 기술, 지원 문서 링크, 심각도 평가 등 다른 취약성 데이터베이스의 일반적인 필드가 포함되어 있습니다. 이번 발표에 포함되지 않은 것은 FSTEC이 취약점을 처음 공개한 날짜입니다. 2017년 1월 1일 이후 FSTEC에서 공개한 취약점에 대해 독점적인 기술을 사용하여 이 날짜를 설정했습니다.

FSTEC은 공공 서비스 기관이 아닙니다.

FSTEC은 국방부(MOD)의 산하기관으로, 국방부가 운영하며 행정적으로 국방부의 일부입니다. 소장, 부소장, 지역본부3의 모든 책임자를현재 FSTEC의 고위 포함한 경영진은 모두 군 장교 출신이며, 이들 중 상당수는 이전에 FSTEC에서 장교 또는 예비역으로 복무한 경력이 있습니다.

russian-vulnerability-analysis-5.png

FSTEC 볼가 지역 사무소의 책임자인 파벨 막시야코프의 약력 스크린샷.

FSTEC’s primary mission is explicit, documented, and repeated in law after law and order after order; state security is its overarching mandate. Unlike “sister” organizations in other countries, such as CNITSEC in China (which runs CNNVD), FSTEC does not claim to have a public service mission, but instead populates its vulnerability database (BDU) with vulnerabilities that primarily present a threat to state information systems. However, FSTEC is dissimilar to CNITSEC in that FSTEC is an overt military organization with an overt state secrecy mission.

A 2014 meeting between Chinese Premier Li Keqiang and Russian Prime Minister Dmitry Medvedev indicates that the Russian government views the Chinese Ministry of Commerce as the functional Chinese counterpart to FSTEC, not CNITSEC or the Ministry of State Security. This is probably because of FSTEC’s primary focus on technical control of the domestic information and technology environment, which is a much broader mission than CNITSEC’s.

Since FSTEC is an overt military organization, the questions about FSTEC’s vulnerability database primarily center around why FSTEC even publishes the few vulnerabilities that it does. As documented below, the BDU is extremely slow and not comprehensive. The few vulnerabilities it does publish tell us more about FSTEC’s mission and Russian state information systems than the intentions of the Russian military for offensive cyber operations.

위협 분석

FSTEC은 미국 국가 취약성 데이터베이스(NVD)가 설립된 지 약 15년 후인 2014년부터 취약성 데이터를 발표하기 시작했습니다. 아래에서 볼 수 있듯이, 연도별로 발표된 FSTEC 취약점을 보면 2014년에는 초기 발표량이 적었다가 2015년에 급증한 후 2016년부터 2018년까지 발표량이 감소한 것을 알 수 있습니다.

russian-vulnerability-analysis-6.png

연도별로 발표된 러시아 취약점.

2015년에는 어떤 일이 있었나요?

In examining the mapping of FSTEC’s BDU identifiers to NVD’s CVE identifiers, we observed that the mappings were not always one to one. FSTEC occasionally linked multiple CVEs into a single BDU vulnerability, and also occasionally created multiple BDU identifiers for different operating systems vulnerable to a single CVE. Russian BDUs cover 11,036 — or approximately 10 percent — of the 107,901 CVEs reported by NVD. This difference is not simply due to FSTEC starting later, as approximately 25 percent of CVEs covered by FSTEC were from years before FSTEC began operation.

Despite the non-linear correlation between BDU and CVE identifiers, it is clear that FSTEC published far more vulnerabilities in 2015 than any other year. This is probably because 2015 was an experimental year for the BDU database, in which FSTEC evaluated its functionality and utility. Although the 2015 FSTEC annual activity report (issued in March 2016) did not address the outcome of the BDU experiment, it is clear from the data that a decision was made to drastically reduce the scope and number of vulnerabilities published. A narrower scope is also in better alignment with the database’s public mission, which is to report on vulnerabilities in information systems used by the state or in “critical facilities.”

또한 FSTEC이 가장 빠르게 발표한 취약점 중 75%는 브라우저 또는 산업 제어 관련 소프트웨어에 대한 취약점이었습니다.

이전 보고서에서 중국과 미국의 국가 취약점 데이터베이스 간 취약점 공개 공개 비율의 차이를 평가한 결과, 중국이 미국보다 평균적으로 취약점 공개 속도가 훨씬 빠르다는 사실을 알게 되었습니다. 2017~2018년에 발표된 취약점 중 세 국가 취약점 데이터베이스에서 공통적으로 발견되는 취약점을 조사한 결과, 러시아의 취약점 공개가 미국과 중국의 공개보다 크게 뒤처지는 것을 확인했습니다. 러시아의 취약점 공개는 불완전할 뿐만 아니라 매우 느립니다.

russian-vulnerability-analysis-7.png

여러 국가 취약점 데이터베이스에서 취약점 공개 지연 일수.

To better understand how FSTEC selected vulnerabilities to disclose, we examined the technology vendors that FSTEC covered at a higher rate than expected given its overall coverage level of 10 percent. The black line in the two charts below (at the value for 10) represents the 10 percent of all vulnerabilities that FSTEC publishes. All vendors with coverage under 10 percent are considered “under covered,” and all vendors substantially over 10 percent are considered “over covered.”

russian-vulnerability-analysis-8.png

FSTEC이 적용되는 공급업체 CVE의 비율.

russian-vulnerability-analysis-9.png

FSTEC이 적용되는 공급업체 CVE의 비율.

비슷한 분석 결과, FSTEC은 모든 기술에서 기본 적용 범위 수준에 비해 콘텐츠 관리 시스템(예: 워드프레스, 줌라, 드루팔)과 IBM 및 화웨이의 적용 범위가 크게 부족한 것으로 나타났습니다.

러시아 APT 취약점 커버리지

2016년 Recorded Future 간행물에서는 러시아 APT가 사용하는 취약점, 특히 가장 널리 사용되는 공급업체에 대한 분석을 제공한 바 있습니다.

russian-vulnerability-analysis-10.png

Image from a Recorded Future blog, “Running for Office: Russian APT Toolkits Revealed.”

이러한 모든 기술에 대한 공급업체는 FSTEC이 집중하는 분야에 나열되어 있습니다. 즉, FSTEC은 각 공급업체에서 발견된 취약점의 10% 이상을 공개했습니다. 그러나 이러한 각 공급업체는 전 세계에서 가장 널리 사용되는 소프트웨어를 생산하고 있으며 러시아 APT 그룹이 이러한 기술을 표적으로 삼을 것이라고 예상하는 것이 합리적입니다.

이 점을 더 자세히 살펴보기 위해 지난 4년간 러시아 APT 그룹이 악용한 모든 취약점에 대한 최신 분석도 수행했습니다. CVE 번호가 있는 취약점과 미국 NVD 및 CNNVD에서도 발표한 취약점만을 활용하여 해당 기간 동안 러시아 APT 그룹이 활용했던 취약점 49개를 확인했습니다.

Thirty of those 49 vulnerabilities, or 61 percent, were published by FSTEC. This is substantially higher than FSTEC’s average of 10 percent. Further, 18 of those 30 published vulnerabilities have been exploited by APT28, which has been attributed to the Russian military’s Main Intelligence Directorate (GRU). This amounts to FSTEC publishing 60 percent of vulnerabilities exploited by the Russian military. This is far outside FSTEC’s statistical average of 10 percent.

Again, many of these vulnerabilities are for the most widely used software in the world. However, this abnormally high reporting rate for both the software vendors and vulnerabilities themselves raises two possibilities. First, since FSTEC’s mission is to protect Russian government information systems, this indicates that Russian government systems utilize these programs and were themselves exposed to these vulnerabilities as well. This is further confirmation that examining FSTEC publications can yield insight into Russian government information systems.

둘째, FSTEC은 군사 조직이며, 이사회에 여러 명의 군사 정보원이 있으며, 기밀 시스템을 보호하기 위해 정기적으로 군사 정보기관과 교류합니다. 군 정보기관이 취약점에 대한 지식을 가지고 러시아 국가 정보 시스템을 보호해야 할 의무가 있거나 러시아 군 해커가 FSTEC에서 발표한 취약점을 작전에 활용하고 있을 가능성이 있습니다.

The public record and available data is not yet sufficient to determine the relationship between FSTEC and Russian state-sponsored cyber operations. However, it is clear that FSTEC’s vulnerability database is utilized by Russian intelligence services in a different manner than CNNVD is by Chinese intelligence. In China, CNNVD delays or hides the publication of vulnerabilities being used by the intelligence services, while in Russia, it is possible that FSTEC publishes vulnerabilities being used by the intelligence services in order to protect against them.

FSTEC의 적용을 받지만 위에 나열되지 않은 유일한 높은 커버리지의 공급업체는 Novell입니다.

오버커버리지 분석 결과, FSTEC은 전체 Adobe 취약점의 거의 절반을 커버함으로써 다른 어떤 개별 공급업체보다 Adobe에 더 집중하고 있는 것으로 나타났습니다. 하지만 FSTEC에서 다루지 않은 Adobe 취약점을 자세히 살펴본 결과, FSTEC은 CVSS 점수가 10점인 Adobe 취약점 386개와 8점 이상인 871개의 취약점을 공개하지 않은 것으로 확인되었습니다. FSTEC은 데이터에서 가장 많은 관심을 보이는 기술 영역에 대한 취약점 공개에 대해서도 포괄적이지 않습니다.

If FSTEC was a serious resource for vulnerability information, it would have to be faster and more comprehensive. Even FSTEC’s corporate partners do not claim to exclusively use the BDU database. We examine three hypotheses for why FSTEC publishes so few vulnerabilities below.

기술 라이선싱

A primary portion of FSTEC’s technical control mission is to conduct product reviews and issue licenses to companies that want to sell their products in Russia. According to a June 2017 Reuters article, both the FSB and FSTEC conduct reviews of foreign technology including “source code for security products such as firewalls, antivirus applications, and software containing encryption before permitting the products to be imported and sold in the country.” The FSB reportedly utilizes certified partner companies to conduct some of the reviews, including a company called Echelon, which is also a partner to FSTEC in administration of the BDU database.

According to Echelon and the websites of a number of other certified FSTEC partners,4 the FSB is responsible for the reviews of cryptographic and encryption tools, while FSTEC issues licenses for the development or production and technical protection of “confidential information.” FSTEC licenses are broadly required for the production and sale of software in Russia.

Among FSTEC’s partners in administering the BDU, including Digital Security, Institute of System Programming of The V.P. Ivannikova Russian Academy of Science, Rusbitech, All-Tech-Soft, and Perspective Monitoring, only Echelon claims to be able to assist customers with FSTEC, FSB, and MOD reviews.

However, unlike the FSB, FSTEC does not use partners or intermediaries to conduct its reviews. In October 2016, FSTEC issued a clarification on its website, stating that FSTEC does not interact with “intermediaries” and does not work with any private organizations in the “provision of government services for licensing.”

FSTEC은 발급하는 각 인증에 대한 라이선스 사용자 레지스트리를 게시합니다. 2018년에는 개발 및 생산 레지스트리에 대해 14개의 라이선스가 발급되었으며, 올해에는 66개의 기술 보호 라이선스가 발급되었습니다(2018년 7월 9일 기준). 이는 2017년에 140개의 개발 및 생산 라이선스와 293개의 기술 보호 라이선스가 발급된 것과는 대조적인 수치입니다.

하니웰, 알카텔-루슨트, 카스퍼스키, 화웨이, 휴렛팩커드, 봄바디어, 아토스, 시만텍 등 많은 유명 글로벌 기업이 이러한 인증을 받았습니다.

russian-vulnerability-analysis-12.png

FSTEC에서 수행한 해외 기술 검사 일정.

FSTEC 라이선스 취득 기준이 너무 광범위하여 소프트웨어 회사의 어떤 정보가 승인 절차에 불필요한 것으로 간주되는지 평가하기 어렵습니다. 또한 인증 제도와 자격 증명은 다르지만, 기업이 FSTEC과 공유해야 하는 정보는 FSB에서 라이선스 취득을 위해 요구하는 정보와 매우 유사합니다. 여기에는 인력, 시설, 제품, 소프트웨어 생산 및 테스트 등에 대한 광범위한 데이터가 포함됩니다.

전망

FSTEC은 왜 취약점을 거의 발표하지 않나요?

As the research above demonstrates, FSTEC broadly publishes only about 10 percent of known vulnerabilities. The larger question is, “Why?” Why waste resources on a vulnerability disclosure database that does not address 90 percent of vulnerabilities for its users? There are three likely hypotheses:

  1. FSTEC은 자원이 턱없이 부족하며 러시아 사용자를 위한 핵심 기술과 이러한 기술의 주요 취약점에만 집중할 수 있습니다.

  2. FSTEC is a military organization and is publishing “just enough” content to be credible as a national vulnerability database. The Russian government needs vulnerability research as a baseline for FSTEC’s other technical control responsibilities, such as requiring reviews of foreign software.

  3. FSTEC has a dual offensive and information security mission and publishes based on the competing needs. This would be similar to how China’s NVD (CNNVD) functions.

In prior research, we disclosed that the NIST Information Technology Laboratory (ITL) employs about 400 scientific and technological staff and possesses a budget of roughly $120 million annually. The ITL is comprised of seven divisions and runs numerous databases and systems, including the U.S. NVD. In comparison, Russia’s FSTEC has 1,111 employees, not including security, protection, or maintenance personnel, and a roughly comparable (if not slightly larger) bureaucratic structure and mission scope. While NIST ITL and FSTEC are not analogous organizations, this loose comparison does demonstrate that FSTEC is not vastly under resourced for its mission and that reporting only 10 percent of published vulnerabilities is a function of choice and not due to resource constraints.

Further, FSTEC does not even provide adequate coverage of the technology it focuses on most. As shown in our example above, FSTEC has published about half of all Adobe vulnerabilities; however, it is still missing over 1,000 Adobe vulnerabilities with a CVSS of “critical” or “high.” If Adobe truly were that important to it, then FSTEC would not omit the publication of these vulnerabilities with the highest possible severity scores. This leads to the conclusion that FSTEC does not determine the need for publication simply by focusing on several key technologies. This also rules out hypothesis number one, that FSTEC is hugely under resourced and does not have the personnel or capital to keep up with NVD.

Second, we find no evidence to support hypothesis number three, that FSTEC is following CNNVD’s model in trying to balance public disclosure and offensive cyber missions. FSTEC is not a public service organization — its database is not comprehensive or timely and does not publish enough vulnerabilities to support a broadly protective mission. FSTEC’s mission, instead, is very focused and specific: to protect Russian state and critical infrastructure systems and support counterintelligence efforts.

또한 FSTEC은 러시아 국가가 후원하는 위협 그룹이 악용한 취약점에 대한 보고서를 발표하는 반면, CNNVD는 중국 정보기관이 악용한 취약점에 대한 발표를 지연하거나 숨기고 있습니다. 오히려 FSTEC이 발표하는 몇 가지 취약점을 통해 러시아 정부의 우선순위와 소프트웨어에 대한 통찰력을 얻을 수 있기 때문에 러시아 국가 정보 시스템을 지원하는 데 너무 집중하고 있는 것일 수도 있습니다.

Finally, we assess with high confidence that hypothesis number two accurately describes the mission and intent of Russia’s NVD. This intent is that FSTEC’s vulnerability database provides a baseline for state information systems and legitimate cover for foreign technology reviews. According to February 2017 amendments to FSTEC documentation regarding inspection and requirements for state information systems, vulnerabilities in the BDU database are intended to provide a baseline of security — not a comprehensive vulnerability listing — for state information systems. This is further demonstrated by the surge in vulnerability publication during 2015, which was an experimental year for the database’s future functionality and led to subsequent publication declines. Our research and data indicate that the BDU database is not intended to be comprehensive, but is simply a baseline for government information systems security and software inspections.

It is also possible that given the functional, managerial, and informal overlaps between FSTEC and the FSB, some of the BDU database’s focus on the exact technologies Russian APT groups are known to favor could be derivative of FSB knowledge about its own operations and the exploitability of these technologies. There is minimal evidence to support this theory, aside from the overlap between the vulnerabilities that FSTEC over covers and those most used by Russian APT groups.

이를 위해 FSTEC이 공개하는 취약점은 러시아 정부 기관이 공격적인 사이버 작전에서 어떤 취약점을 노릴지보다 네트워크에서 사용하는 하드웨어 및 소프트웨어에 대한 더 많은 정보를 전달합니다.

1According to the National Counterintelligence and Security Center’s (NCSC) Counterintelligence Terms Glossary, counterespionage (CE) is a unique subset of counterintelligence and is the “offensive, or aggressive, side of counterintelligence.” “CE is an offensive operation, a means of obtaining intelligence about the opposition by using — or, more usually, attempting to use — the opposition’s operations.”

2This content was machine translated using Google Translate.

3Biographies of each regional head can be found under the “Территориальные органы” tab at https://fstec.ru.

4See http://rusbitech.ru/about/certificate/, and https://www.altx-soft.ru/license.htm.

관련 뉴스 & 연구